Teething Troubles with Bluetooth?

August 31, 2004

Bluetooth is the industry name for a wireless standard protocol for short-range radio communications that enables devices (e.g. PDAs, mobile phones and laptops) to exchange information. The availability of Bluetooth-enabled devices and the use of Bluetooth are on the increase – so too it seems are the crazes and scares that accompany many emerging technologies.

The Problems

Bluejacking

One such craze spawned by Bluetooth technology – helped by the fact that it is free – is what has been dubbed “Bluejacking”. This is the sending of unsolicited messages anonymously via Bluetooth to nearby phones. You do not need to be an IT techie to do this, as is explained by a schoolgirl “Jelly Ellie” behind the Bluejacking website www.bluejackq.com

How do you Bluejack? Simply create a new contact in your mobile phone’s phone book, using the message you want to send as the name for the entry. On most Bluetooth phones it is possible to send this contact as a message or electronic business card. When sending this contact via Bluetooth, the phone searches for other Bluetooth-enabled devices nearby. The contact bearing its message can then be sent anonymously to any Bluetooth phones within range.

Whilst stories are told of bored commuters using Bluetooth phones to set up illicit meetings with strangers using messages sent via Bluetooth, Bluejacking could be a potential new outlet for marketing agencies. Given the need to be in relatively close physical proximity to Bluetooth-enabled devices to send the message, this is unlikely to attract spammers who prefer the convenience of sending messages to thousands of addresses at the touch of a button. It would be of more appeal to brand owners drawn to the idea of running some form of viral marketing campaign aimed at a target audience – those who own the latest mobile phone and who frequent public places such as shopping centres, pubs and clubs.

There is concern however that Bluejacking will create an environment which leaves mobile users susceptible to more sinister activities. Computer security experts have exposed flaws in Bluetooth technology that could lead to attackers gaining unauthorised access to a victim’s mobile device without their knowledge – an activity that has been labelled “Bluesnarfing”.

Bluesnarfing

Bluesnarfing is the Bluetooth wireless technology version of hacking. To Snarf means to grab a large document or file and use without the author’s permission (Webopedia.com). Use of Bluetooth-enabled devices could well follow the trend of WI-FI War Driving (in which people driving around with a laptop try to identify inadequately secured WI-FI networks).

It seems Bluesnarfers can exploit a flaw in how manufacturers have implemented the object exchange (OBEX) protocol, which is commonly used to exchange information between wireless devices. It was apparently a deliberate decision not to include authentication so that people could easily send business cards to each other. However, the problem is that other files can be transferred without permission.

Computer security experts who have discovered the flaws in the authentication and/or data transfer mechanisms on some Bluetooth-enabled devices, describe three specific vulnerabilities to attack (see www.thebunker.net/release-bluestumbler.htm):

· the “Snarf” attack, whereby an attacker can gain access to restricted portions of the stored data, including the entire phonebook, calendar and International Mobile Equipment Identity (IMEI), which uniquely identifies the phone to the mobile network, and is used in illegal phone ‘cloning’

· the “Backdoor” attack, which involves the attacker gaining access to the device and using any resource to which that device grants access, e.g. modems or Internet, WAP and GPRS gateways

· the “Bluebug” attack, whereby it is possible to use the phone to initiate calls, read and send SMS messages, connect to data services such as the Internet, and even monitor conversations in the vicinity of the phone.

Victims of unauthorised calls will rightly complain to their network provider that they did not make the calls. This may force mobile phone network companies to re-examine their billing security system to avoid running a system that cannot be trusted.

Of course mobile phone users will want to avoid unauthorised calls and messages being sent and received on their phones. Some people, however, may be only too glad to blame the Bluesnarfer as the reason to explain the unwanted text messages discovered on their mobile phone. Celebrity footballers take note.

Legal Remedies Available

Bluejacking

The arm of data protection law is probably not long enough to catch Bluejacking. The Privacy and Electronic Communications (EC Directive) Regulations 2003 govern “electronic mail”, which covers any text, voice, sound or image message sent over a “public electronic communications network”. A public electronic communications network is defined in the Communications Act 2003 as “an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public”. A message sent via Bluetooth is not sent over such a network.

Even if Bluejacking did fall within the Regulations, it is arguable that users of mobile phones with the Bluetooth function switched on impliedly consent to receiving messages and therefore the Bluejacker cannot be said to be processing personal data without permission.

Bluesnarfing

Under the Computer Misuse Act 1990, it is a criminal offence to gain unauthorised access to computer materials (s 1); gain unauthorised access with the intent to commit or facilitate commission of further offences (s 2); cause unauthorised modification of computer material (s 3). The Act does not define terms such as “computer” and program” which gives the courts freedom and flexibility in interpreting such terms to keep up with technological developments. The components making up the mobile phone should fall within the meaning of a “computer” – being generally considered to be a device that accepts information in the form of digital data and manipulates it for some result based on a program or sequence of instructions on how the data is to be processed. The act of Bluesnarfing should therefore be regarded as an offence under the Computer Misuse Act 1990.

To the extent that the Bluesnarfer modifies or copies (transiently or otherwise) any tangible information (eg software to carry out the attack) they may also be found to infringe the copyright in such information.

Publishers of information intended to enable or assist others to Bluesnarf, which involves circumvention of the technical devices applied to computer programs could themselves be liable under the Copyright, Designs and Patents Act 1988, s 296. Liability may also arise under s 296ZA in relation to circumvention of technology designed to protect copyright works other than computer programs.

Additionally, depending on the content of the data obtained and what is done with that data, the Bluesnarfer could face any number of legal suits – for example, for breach of confidentiality for the misuse or disclosure of confidential information, for infringement of copyright in the data and for infringement of database rights.

The types of legal claims against the bluesnarfer may be numerous, but how readily identifiable is the Bluesnarfer? Practically speaking, the only significant footprint likely to be left is a telephone number. The first time a victim is likely to suspect anything or find this information is on receipt of the monthly bill detailing the telephone number. A smart Bluesnarfer, however, will have used a pay-as-you-go mobile phone which they would have long since discarded and replaced, making it nigh on impossible to track down the culprit.

Preventative Measures

The fail-safe answer to avoid these attacks is simply to switch off the Bluetooth function. In this way no one will be able to access the device.

Some devices can be set to either “hidden” or “discoverable” mode. Devices in hidden mode are more difficult for a Bluesurfer to find, however, there are techniques to find devices even in hidden mode. It is also sensible to check the pairings in the Bluetooth pairings view and remove those pairings by performing a factory reset.

As the publication of information and tools to facilitate Bluesnarfing become increasingly available, users should upgrade any vulnerable devices and apply patches now being offered by some manufacturers for some devices.

Employers should bear in mind the seventh principle of the Data Protection Act 1998. This states that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. Employers should therefore give appropriate guidance to their employees on the use of its Bluetooth-enabled devices. Employers would also do well to check the comparative vulnerabilities of competing Bluetooth-enabled products when purchasing for their employees’ use.

Summary

The potential havoc that could be caused by Bluesnarfing is limited only by the attacker’s imagination and persistence. Despite there being laws in place to punish these attacks, the likelihood of identifying and tracking down the Bluesnarfer in practice is another matter. The key must therefore be to take the necessary preventative measures to avoid a possible attack in the first place. Whilst some manufacturers have taken steps and given guidance on how to reduce the risk of attack, network providers also should consider issuing guidance to their customers who may want to dispute their bills.

William Betts is a solicitor in the Media, Brands and Technology team at Lewis Silkin.