Bluesnarfing is the theft of information through Bluetooth. Hackers do it by sneaking into mobile devices—smartphones, laptops, tablets, or personal digital assistants (PDAs) whose connection has been left open by their owners. It implies exploiting Bluetooth vulnerabilities in order to grab such data as text or email messages, contact lists, and more.

It’s easy to become a victim of a bluesnarfing attack if you have the habit of using Bluetooth in public places and your phone is usually in discoverable mode.

Other interesting terms…

Read More about “Bluesnarfing”

What is bluesnarfing

Cybercriminals can perform the bluesnarfing attack on a device even when it is 300 feet away. What they can steal by doing so is mindblowing and quite scary. They can practically copy the entire content of your phone or device, including your emails, contact list, phone number, passwords, and your pictures. Some bluesnarfing attackers use the victim’s phone to call long distance, leaving its owner with a huge telephone bill. All these happen without the victim’s knowledge, of course, and so attacks can go on for a long time.

Perhaps the most widely known bluesnarfing case was that performed by Google back in 2013. The tech giant admitted that it collected data from unencrypted wireless networks, which is bluesnarfing in its raw form. Among the information obtained were emails and passwords. As a result, Google paid a settlement amounting to US$7 million.

How Is Bluesnarfing Done?

To understand how this attack is done, it’s important to first know how Bluetooth works. Devices that are Bluetooth-capable communicate with each other using the so-called Object Exchange (OBEX) protocol.

The OBEX protocol has inherent security vulnerabilities that attackers can exploit using tools such as Bluediving. With it, attackers can look for Bluetooth-enabled devices and pair with these without their owners’ knowledge. 

If they have programming skills, the attackers can create their own bluesnarfing tool. However, even those who don’t know how to code can still use bluesnarfing to steal data. There are ready-to-use attack tools available online. There are also bluesnarfer-for-hire services that they can employ.

History of Bluesnarfing

Researcher Marcel Holtmann first discovered bluesnarfing. However, it became publicly known when Adam Laurie of A.L. Digital disclosed a vulnerability on a blog. He found the bug in November 2003 and wanted to let the manufacturers of Bluetooth devices know about it immediately.

At present, both black- and whitehat hackers can easily access bluesnarfing tools and services on the Dark Web. All they initially need is a downloadable penetration-testing utility such as Bluediving. This tool identifies if a device is susceptible to bluesnarfing attacks. Once it finds that a device is vulnerable, the hacker can do any of the following:

  • Perform a bluesnarfing attack on his own if he has enough programming skills 
  • Hire a bluesnarfing attacker
  • Get code snippets from websites that teach bluesnarfing

As you can see, it’s not that hard to launch bluesnarfing attacks. Want to know how to stay safe from them? Read on then.

How Do You Prevent Bluesnarfing?

Since the attack relies on Bluetooth connections, the most logical and safest way to counter it is by turning off your device’s Bluetooth feature when it’s not in use. Below are other best practices to avoid becoming a victim of this attack:

  • Use a personal identification number (PIN) that has at least eight characters so it will be harder for attackers to crack.
  • Take advantage of your phone’s security features, such as two-factor authentication (2FA). That way, your approval is needed for all connection requests.
  • Do not accept pairing requests from unknown devices.
  • Turn off your phone’s discovery mode to make it invisible to unknown devices.

What You Need to Remember about Bluesnarfing

Any form of theft is scary, and these days, digital theft is alarmingly rampant. Bluesnarfing is just one of the many methods by which attackers can steal your sensitive and confidential data.