"I have stood at the RSA booth in conferences, with my phone paging for other devices, and watched other people's devices show up," said Magnus Nystrom, technical director of RSA Security. Many devices simply allowed access without demanding a "pairing" code, said Nystrom, and would have allowed him to examine the personal data of passers-by, or even to make calls with their phones.
Such phone calls (which might flippantly be described as warphoning) would be a serious breach. Not only could they add vastly to the victims phone bill, they could also allow the attacker to impersonate the victim. Using phone numbers from the victim's database, he could call people or businesses known to the victim, who might accept the call as genuine since it would come from the victim's own phone.
"That's scary," said Peter Laakkonen, principal at SecVen, a US-based security strategy advisor, and a speaker at the RSA Conference in Paris. "If people don't realise they have Bluetooth, they may be unaware of the possibility of this weakness. Other people could be impersonating them without their knowledge."
Most Bluetooth-enabled devices -- particularly those from leading brands -- appear to ship with security enabled. This includes all devices from Palm, iPaq, Ericsson and Nokia that have arrived in the ZDNet UK offices for review.
Work is underway to improve both authentication and encryption over Bluetooth links, according to Nystrom, who is concerned about weaknesses in Bluetooth, even when security is enabled.
Bluetooth, conceived as a cable replacement technology for linking devices within the user's field of view, was designed with a limited amount of security, but even the basic standard contains enough security features to eliminate this threat. Under Bluetooth's security specification, before two devices pair, the same code number must be entered into both of them.
Within phones, features such as address books and phone are set up as different services. Business card exchange is usually set up with no security, as this is data that you want public, but other services are not accessible from this one.
