Bluesnarfing: A first person's perspective...
I have a Nokia 6600 smartphone, and I'm used to downloading odd apps and trying them out. I saw an app called Blooover, and thought it's pretty interesting so I loaded it up. The home page says:
Pretty interesting stuff! I tried it on my sister's Nokia 3660, and friend's 3650's and 6600's, but it didn't work. Kept saying that the phones are not vulnerable to this attack. I promptly forgot all about the app. Yesterday, I was at a canference at a local 5-star hotel, and just happened to do a bluetooth scan to find out what phones in my vicinity have bluetooth enabled. I saw a few T610's, T630's and K700i's, alongwith a few 6600's, a 3650, and 2 6310i's. The 6310's are really old bluetooth-enabled mobiles from Nokia, and I happened to remember reading that they were vulnerable to bluesnarfing. So I decided to fire up Blooover and give it a whirl. Imagine my surprise when Blooover started giving me visual cues that the bluesnarf was proceeding successfully! It managed to get all the contacts in phone memory, all the contacts in the SIM card, all call logs (missed, dialled and received calls), all SMS (some were garbled with weird characters, but some of them even had his bank name, branch, account number and balance!). Blooover also managed to add a phone-entry of my own choosing, set the call forward to a default number, and initiated a call to another default number. Now that was amazing! I have all the logs with me. Blooover doesn't provide a way to save the log, but I turned on the screenshot feature of FExplorer, and took screenshots to save the whole data. I'm not willing to reveal it, as it contains personal information, but I felt scared and elated at the same time. I tried it on another Nokia 6310i, with the same results!
As I said in my last post about Google's revealing webcam searches, everything is inherently insecure. Any person with enough knowledge (or as in my case, little knowledge, but the right tools) can get in. Data that you think is safe and secret may not be so.