Jacking and snarfing

After last month’s foray into the world of Bluetooth devices and profiles, this month I’ll try to allay a few fears, dispel a few myths and correct some common misapprehensions about Bluetooth hacking. To believe the tabloids, if you walk into a busy pub or mainline railway station, some scrote with a PDA will remote-control your phone and dial expensive premium-rate numbers on it. And for once the tabloids have it right – this can, indeed, happen, but only in a very limited set of circumstances.

Jacking and snarfing

The first thing to note is that what I’ve just described is properly called “bluesnarfing”, although most press reports of Bluetooth abuse prefer the term “bluejacking” because it sounds more sensational by association with hijacking and carjacking. Bluejacking is merely using Bluetooth to pop up a message on someone else’s phone, generally pretty harmless and legal unless it’s employed to harass or send distressing messages. It simply makes use of the “beam contacts” facility that exists somewhere in the menu structure of most mobile phones. It was once thought that “beam contacts” would replace the exchange of business cards at meetings, but it never really caught on. Bluejacking only works because many phones have Bluetooth switched on by default, are discoverable and have beamed contact reception enabled.

It’s really simple to bluejack. Here’s how you’d do it with a Windows Mobile 6 Smartphone device (my current favourite still being the HTC S710 with its slide-out keyboard):

From the Start menu select the Contacts application.

Create a new contact, whose name is the message you want to display on the other party’s phone. You’ll also need to assign it a number (something like 123 or 555 will usually work).

Go back to the main contacts list and highlight this new contact.

Press the menu key, select Send Contact and then Beam.

The phone will now look for all discoverable Bluetooth devices nearby and gradually build a list of them onscreen. At first, it will say Unknown Device, then a few seconds later it will show their device ID.

Select the devices you want to send to and then Beam.

Your contact details (and thus your message) will be sent to the remote phone.

Note that some phones will ask for permission before accepting the beam, while others will just display it along with the number you chose.

That’s bluejacking, but what about bluesnarfing? That’s a much nastier business. Rather than simply sending messages from one phone to another, it exploits a flaw in some Bluetooth implementations to actually grab data from the remote phone (like its address book, or copies of all the text messages stored on it), and can even take control of the remote phone to initiate calls or send SMS messages. Sounds scary and indeed it is, as well as being almost certainly illegal in the UK, since it will fall foul of the Computer Misuse Act 1990. An episode of the BBC3 programme The Real Hustle demonstrated this Bluetooth hacking in action, and if you search YouTube you should be able to find a copy – notice that the voice-over again uses the term bluejacking, when what they’re really doing is bluesnarfing.

There are a few things the programme didn’t make clear. First, if you watch closely, you’ll see it wasn’t just any old PDA they were using but a Nokia 770. Why so? Because it runs Linux, and pretty much all the bluesnarfing tools released to date will only run under Linux. There are a few hacks that run on other platforms, but in general these list only susceptible devices nearby rather than giving full control over them.

Comments are closed.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos