Cogito, ergo sum... (I think, therefore I am)

Monday, January 31, 2005

Bluesnarfing: A first person's perspective...

I've heard a lot of bluejacking, bluesnarfing and bluebugging. Bluejacking is pretty harmless, because it consists of sending messages via bluetooth. But bluesnarfing (discreetly copying data from a mobile phone trhough bluetooth) and bluebugging (initiating phone calls from another bt-enabled phone, again discreetly) is really sisnister. There are a lot of papers available that discuss these attacks, but until now all I had was an audience's perspective. I had never seen what it really looks like. Until now.
I have a Nokia 6600 smartphone, and I'm used to downloading odd apps and trying them out. I saw an app called Blooover, and thought it's pretty interesting so I loaded it up. The home page says:
"Blooover is a proof-of-concept tool that is intended to run on J2ME-enabled cell phones that appear to be comparably seamless. Blooover is a tool that is intended to serve as an audit tool that people can use to check whether their phones and phones of friends and employees are vulnerable."

Pretty interesting stuff! I tried it on my sister's Nokia 3660, and friend's 3650's and 6600's, but it didn't work. Kept saying that the phones are not vulnerable to this attack. I promptly forgot all about the app. Yesterday, I was at a canference at a local 5-star hotel, and just happened to do a bluetooth scan to find out what phones in my vicinity have bluetooth enabled. I saw a few T610's, T630's and K700i's, alongwith a few 6600's, a 3650, and 2 6310i's. The 6310's are really old bluetooth-enabled mobiles from Nokia, and I happened to remember reading that they were vulnerable to bluesnarfing. So I decided to fire up Blooover and give it a whirl. Imagine my surprise when Blooover started giving me visual cues that the bluesnarf was proceeding successfully! It managed to get all the contacts in phone memory, all the contacts in the SIM card, all call logs (missed, dialled and received calls), all SMS (some were garbled with weird characters, but some of them even had his bank name, branch, account number and balance!). Blooover also managed to add a phone-entry of my own choosing, set the call forward to a default number, and initiated a call to another default number. Now that was amazing! I have all the logs with me. Blooover doesn't provide a way to save the log, but I turned on the screenshot feature of FExplorer, and took screenshots to save the whole data. I'm not willing to reveal it, as it contains personal information, but I felt scared and elated at the same time. I tried it on another Nokia 6310i, with the same results!
As I said in my last post about Google's revealing webcam searches, everything is inherently insecure. Any person with enough knowledge (or as in my case, little knowledge, but the right tools) can get in. Data that you think is safe and secret may not be so.

22 Comments:

  • Can you please tell s how you install Bloover, I cant get it to work on my 7610, where do I stick the files and folders.
    thanks

    By Anonymous Anonymous, at 1:32 AM  

  • I simply downloaded the Blooover java archive from this address: http://trifinite.org/Downloads/Blooover.jar
    Sent it to my phone, and opened the received message. This prompted me to install the program and I did. That's all there is to it. If you're still having problems, please do let me know.

    By Blogger Khurram, at 10:48 AM  

  • when i install it it sais invalid file how to install jar file

    By Anonymous Anonymous, at 5:43 PM  

  • I have got the blooover file but how can i send it to my phone using bluetooth on my comp?

    e-mail me on c1jty@hotmail.com

    cheers

    By Anonymous Anonymous, at 11:51 PM  

  • its simple just download it change the name to .jar at the end instead of .zip. then send to your phone, install it. activate bluetooth then open

    By Anonymous Anonymous, at 9:16 PM  

  • I need help big time. I have a 6230i and i have put the things on my phone, but i cant access them! HELP PLEASE! (KIEWEE123@GMAIL.COM)

    By Anonymous Anonymous, at 2:46 PM  

  • i have the new samsung E720 and nokia 6230i....ive tried to install bloover onto each fone but it will not let me, it says file format not suported although it is .jar what should i do ? thnks lukoz

    By Anonymous Anonymous, at 5:10 PM  

  • ^^^^^^^ get bak to me at chilling_lukoz@hotmail.com if you know how to help me
    thnks lukoz

    By Anonymous Anonymous, at 5:11 PM  

  • Ive got a nokia 6230 and id like to know how to install it via bluetooth... chronox22@hotmail.com

    By Anonymous Anonymous, at 1:41 AM  

  • This blog is awesome! If you get a chance you may want to visit this download free multiplayer game site, it's pretty awesome too!

    By Blogger tweedledeetweedledum, at 12:34 PM  

  • Nice Blog,
    Read an article I found on: doorway page. It kind of relates to your blog i think.

    By Blogger TheMarketerStore, at 7:07 AM  

  • I've just spruced up my SEO site with relevant content and I'm looking for comments from bloggers with similar interests.

    I have some educational articles on there and I'll be adding more.

    See them at my new site.
    seo

    Could any bloggers out there suggest a good site for
    articles?

    Would you like to swap links? Just post a comment somewhere on my blog,
    I won't delete it. Thanks and take care,

    John
    seo

    By Blogger researcher, at 8:35 AM  

  • interesting suff eh!
    Visit my site too, relating to free e-book site. It deals with free e-book and other related stuff.

    By Blogger credit6sec, at 9:54 AM  

  • hmm been trying to get blooover going with very limited sucess but it's fun
    i will note your phone models down and give it a try later
    thanks
    sircolin

    By Anonymous Anonymous, at 11:09 PM  

  • Hey...i cant get blooover 2 work on my nokia 6230.. it says file of an unsupported type...please help!

    By Anonymous J, at 1:46 PM  

  • I downloaded it a while back with no problems.. I got the exact same result you got when it was activated. Complete phone book, calendar, note book, sms's the lot. It's kind of freeky what u can get and makes u think how safe u really are. Most of the information i got was useless to me but imagine getting this kind of stuff from someone important. hmmm worked a treat for me. I sit in heavy traffic and scan for bluetooth all the time just to see who's dumb enough to leave it on. I advise that if your not using your bluetooth, TURN IT OFF.

    By Anonymous Anonymous, at 4:52 PM  

  • i downloaded bloover but it only audits the phone and then stops the process & only tell me whether the phone is vulnerable to some attacks or not and does not actually get me their phonebook entries and sms and other stuff ..
    why is it so??

    By Anonymous Anonymous, at 6:48 PM  

  • Hi, i have blooover and have audited a few phones successfully, but i was wondering how to change the predefined call forward number and the voice call number to one of my own numbers,nif you can help please reply, thanks

    By Anonymous Anonymous, at 5:09 AM  

  • whats best model of phone for blooover to work on or does it work on most blue tooth phones thanks

    By Anonymous Anonymous, at 9:13 PM  

  • whats best model of phone for blooover to work on or does it work on most blue tooth phones thanks

    By Anonymous Anonymous, at 9:13 PM  

  • please help been trying to put blooover on my samsung d600 all day cant do it please someone help me!

    By Anonymous Anonymous, at 2:54 AM  

  • i cannot get blooover to open on my evo can someone help?

    By Anonymous Anonymous, at 7:40 AM  

Post a Comment

<< Home