In the 1980s, the Filofax revolutionised the way business people organised their lives. Contact numbers, diary details, memos, intimate thoughts and pictures of loved ones were all tucked between those leather covers — and there was much
Schadenfreude when yuppies lost them.
Fast-forward 20 years and we are doing it again. Today’s mobile phones have the capacity to store exactly the same kind of information. Loss is still a risk and in recent weeks The Times has proved that your new electronic personal organiser can be spied on by your worst enemy without the phone leaving your pocket. Some mobiles can even be used to bug you.
The problem is caused by flaws in the security of wireless technology. This enables your phone to communicate with your computer and hands-free headsets without the need to attach unwieldy cables.
The world’s leading electronics companies got together several years ago and agreed to make all their systems compatible under a standard called Bluetooth. Last November a British computer security specialist, Adam Laurie of AL Digital, became concerned when he realised all his staff were using the system and he decided to check if it was secure. What he found has sent ripples through the telecomms community.
He identified flaws and wrote a program to exploit them using a laptop and wireless antenna known as a “dongle”. In tests observed by The Times, which involved consenting mobile phone users, he was able to access certain phones to read, copy and edit the phone books, text messages, calendars and pictures stored in handsets. He was also able to instruct phones to call him back secretly, opening connections that allowed him to listen in on conversations taking place near handsets. And all at the owner’s expense.
Laurie and a German expert who also discovered the flaws, Martin Herfurt of Salzburg Research Forschungsgesellschaft in Austria, are the only people thought to have found ways to exploit the flaws, but they are concerned that unscrupulous progammers are not far behind.
The models that Laurie claims are most vulnerable are Nokia’s 6310, 6310i, 8910 and 8910i; and the Ericsson T610. These are the most popular phones in the country. Nokia’s 6310s are known as “the businessman’s phone”. Both companies admit that there are problems and say they are working on solutions but they are not all in place yet. Meanwhile, millions of potentially vulnerab le phones remain in circulation.
The tests, watched by The Times in the Central Lobby of the Palace of Westminster and at the headquarters of some of the country’s biggest companies, found an average of one phone a minute that could have been attacked. The phones were not attacked to avoid breaching the Computer Misuse Act. Although the industry claims that Bluetooth radio signals work over just 10m (nearly 33ft), Laurie was receiving positive signals through walls and windows up to 90m away.
One of the most disturbing applications of the attacks — known among hackers as bluesnarfing — is the ability to track individuals without their knowledge.
Commercial systems, licensed by the telecomms regulator Ofcom and available on the internet, allow the tracking of phones for businesses to keep tabs on their workers or for concerned parents to locate their children. The system only works with the permission of the handset owner, who is first sent a text message asking for such consent.
Laurie is able to set up an account and divert the consent text message to a phone of his choice. Once he returns a text consenting without the owner’s knowledge, he can view their whereabouts 24 hours a day on the internet.
Nokia admits that there are problems with its 6310s and 8910s and says it is working on a solution that will be available to users from this summer. Sony Ericsson says it has cured the text message and divert problems in new phones, but phone lists, calendars and pictures can still be accessed. It promises a cure in the second half of the year.
Meanwhile, handset users should go to their supplier to ask for software security upgrades to be installed.
However, there is only one sure way to be certain that your phone is safe — switch off the Bluetooth facility. This solution will infuriate consumers who bought phones simply because they had such a useful tool. But if using it enables your rivals to see your contacts and diary arrangements and to bug and track you, switching off is the price you will have to pay for complete security.
