Bluesnarfing is a way of stealing information using an unsecured Bluetooth connection. Hackers exploit vulnerabilities in Bluetooth technology to get access to contacts, messages, pictures, videos, and passwords.
There is a popular joke that has made the rounds in the software community: security consultants make their living by terrifying tech-ignorant managers about security issues and convincing them to pay hefty fees for protection.
Although many security concerns are gimmicks, some are truly dangerous and need to be dealt with seriously. One such security threat is bluesnarfing, which relies on Bluetooth networks to steal data and breach privacy.
What is bluesnarfing?
To put it simply, bluesnarfing is a way of stealing information using an unsecured Bluetooth connection. Hackers exploit vulnerabilities in Bluetooth tech to break into Bluetooth-connected devices like mobiles, laptops, personal digital assistants, etc. Using bluesnarfing, cybercriminals can potentially get access to personal data like contacts, messages, pictures, videos, and even passwords from the device of their victim!
Bluesnarfing is a more severe form of another Bluetooth-hacking technique called bluejacking. In bluejacking, unsolicited SMSes are sent using unsecured Bluetooth connections, but with bluesnarfing, much more sensitive personal data is at stake.
Depending on the class of Bluetooth the device has, some bluesnarfing attacks can be conducted from as far as 300 feet away from an unsuspecting victim. That’s tantamount to getting hacked by someone sitting on the 20th floor of a multistoried building while you are relaxing on the first floor! Some skilled hackers can even hijack a victim’s phone to call someone—which could have dreadful ramifications.
How is bluesnarfing done?
The crux of staging a bluesnarf attack lies in the vulnerability associated with OBEX (OBject EXchange) protocol, which Bluetooth uses to exchange information wirelessly. This OBEX has an inherent security flaw, which is what hackers exploit.
When a device is using Bluetooth without authentication enabled and is set to ‘discoverable’, hackers have an easy way in. Hackers then use sophisticated tools like Bluediving to get access to personal information of the victim. It goes without saying that all of this is done without the victim knowing that his or her phone’s data is being swindled.
The problem is that the original developers of Bluetooth technology have consciously kept OBEX protocol open, i.e., without authentication policies in place (like asking for a PIN and/or a pairing request). They did so because Bluetooth was developed with the intent of sharing digital business cards (Source).
The whole purpose was to make the sharing of business cards easy using wireless connectivity (Bluetooth). These business cards weren’t really sensitive data, so developers opted for the convenience of sharing and overlooked security, which is why bluesnarfing gained traction.
What data is at stake?
It’s unlikely to execute a successful bluesnarf attack without a laptop, a Bluetooth dongle, and knowledge of special tools and scripting.
So, in short, it requires a professional to pull this off.
Considering that the end result of these attacks is usually the theft of valuable data in the form of contacts, messages, pictures etc., such attacks are often part of larger shady data theft businesses. They basically sell this data to interested parties, usually on the dark web.
Believe it or not, even a reputed tech giant resorted to this kind of pernicious activity! In 2013 Google was found guilty of collecting data from unprotected wireless networks. This pilfering of data was done by special devices installed in Google’s Street View cars. During the trips, these cars would scan for unsecured wireless networks and then collect sensitive data, such as email with passwords (without consent). Google had to pay 7 million dollars for this misconduct.
While this wasn’t a case of bluesnarfing, per se, the modus operandi and intent were similar. Instead of discoverable open Bluetooth, these Street View cars were in quest of unsecured Wifi networks to slyly elicit crucial data from them.
Another worrisome thing about bluesnarfing is that skilled intruders can even get access to phone calling capabilities, meaning that the intruder can use the mobile number and network of the victim to call someone. This is where bluesnarfing attacks become even more spiteful. They can potentially be used by terrorists to send intimidating calls without revealing their true identities. Similarly, kidnappers can resort to this technique to camouflage their identity while asking for ransom from the victim’s family.
Should you be worried about bluesnarfing?
Fortunately, with subsequent updates in Bluetooth technology, the loophole of the missing authentication process was fixed!
You have likely noticed that smartphones and other Bluetooth-enabled smart devices now come with built-in authentication, which has made it increasingly difficult for hackers to launch bluesnarfing attacks. This authentication is in the form of a pairing request followed by a request to type your PIN or password for establishing the connection.
A final word
With the ever-rising number of connected devices, the instances of cyberattacks to gain illegitimate access are also on the rise. The easiest way to safeguard from bluesnarfing is to keep your Bluetooth off when it is not needed.
Since smartphones these days come with built-in authentication, bluesnarfing attacks are on the decline. However, if you have a really old mobile with a Bluetooth feature, you should keep your mobile on non-discoverable/hidden mode for more security. Never accept Bluetooth pairing requests from unknown devices.
Although cyberattacks like bluesnarfing are scary, you can protect your mobile and data by staying alert and informed about basic digital safeguards!