Programming
Article

BlueCast or BlueSnarfed?

By Alex Walker

BluecastingThis morning I was browsing some of the more popular recent Del.icio.us links and came across a nice study in contrasts.

The first was this short YouTube presentation on the hottest and newest of hot, new technologies — Bluecasting: The proximity broadcasting system! The core of the system is a snazzy-looking, web-enabled, bluetooth broadcasting unit designed to be installed where “consumers might be likely to experience ‘dwell time’“. ‘Dwell time’ — all these years I’ve been oblivious to that it even existed when, by all reports, I’ve been actually experiencing it for many years at the various train stations, airports, sporting facilities and retail strips I’ve encountered. To think I never even knew.

Once installed the BlueCasting system automatically locates any discoverable, bluetooth-enabled device within range (approx 100m) and then goes about offering it a selection of location-specific content, including but not limited to:

  • Images,
  • Audio,
  • Video,
  • Interactive Content
  • Games &
  • Retail offers

BluecastingAs a potential content creator for and consumer of this service, I thought ‘Hooray for bluetooth!‘ and as the presentation faded to black, I flipped my phone to ‘discoverable’ — just in case I might stumble across one of these happy, magical lands.

Moments later, as is YouTube’s way, I was offered another video on a related subject — ‘Real Hustle Bluesnarfing‘. A relatively convincing demonstration followed where a PocketPC user in a busy london station was able to easily locate discoverable Bluetooth devices with a known security flaw, and then take complete control of them in seconds.

Apart from the obvious privacy concerns of divulging your contacts, emails and SMS content to a malicious stranger, the real sting came when the scammer was able to make silent calls via the attacked phone to his own 1800 number — charged at £1.50/min. That could get very nasty very quickly.

At the end the experts shook their heads gravely and sternly advised “Never leave Bluetooth on when you’re not using it!”

‘Bad Bluetooth!,.. Bad!’ I thought and immediately switched mine back to non-discoverable.

  • http://www.sitepoint.com/ Kevin Yank

    …which begs the question, where do I go to find out about security vulnerabilities in my phone?

  • http://boyohazard.net Octal

    …which begs the question, where do I go to find out about security vulnerabilities in my phone?

    Indeed. Nothing obvious has come up on my search for my phone

  • Nadja

    Even though Bluetooth is a really cool feature, I only use it to connect with other devices. And I don’t think that I would press “Yeah, download this file right away, I don’t care about the sender”. I think this can be pretty annoying to many people – like pop-ups or spam mails.

    It would be much better (and more secure) to put up a big sign with a nice explanation of the service and let the user discover it instead of sending him messages without his permission or files he wouldn’t choose if he had a choice.

  • http://www.primeoutsourcing.com Ryechi

    That sounds alarming.
    I always leave my buetooth device un-attended, innocently aware of the possibilities and existence of malicious strangers

  • Roger

    This is why solutions like Jellingspot and Nokia’s CoolZone are becoming more popular — because they’re client-server oriented … they don’t spam and content is legit. The only problem is people have to install a client-side application on their mobile device first, but it’s not that difficult.

  • http://www.sitepoint.com AlexW

    Roger, I’m not totally convinced that client-based apps are the answer either — unless one client was to become onmipresent, in the way Flash has. I think people would be a bit gun-shy about installing an app just to use services while they wait at a station. Who knows, the station at the other end might require a different client and I might need another client at the shopping mall.

    Ideally I think this stuff needs to be pretty transparent if people are going to use it. Perhaps an icon appears on your phone’s screen telling you there is a local bluetooth service available and asking you if you would like more information on it.

    Maybe there could be some kind of encrypted certificate system that could verify the legitimacy/ownership of any sort of service asking to connect.

    You would think it would be almost a no-brainer to publish bluetooth interactive/searchable maps for stations, malls, sports centers, etc.

  • BILL

    well as long as i am aware of this Bluecasting stuff offered by filter world wide (www.filterww.com & http://www.bluecasting.com), they are antispam .. and as i have observed if one rejects the message they do not send it again .. otherwise downloads just once and doesn’t prompt again … this technology is widely being used in stadiums, stations and aiports around the world while till now it seems filter world wide is the only successful leading provider of the technology..BlueSnarfed and BlueCasting are totally two different things ..

  • http://www.sitepoint.com AlexW

    well as long as i am aware of this Bluecasting stuff offered by filter world wide (www.filterww.com & http://www.bluecasting.com), they are antispam .. and as i have observed if one rejects the message they do not send it again .. otherwise downloads just once and doesn’t prompt again … this technology is widely being used in stadiums, stations and aiports around the world while till now it seems filter world wide is the only successful leading provider of the technology..BlueSnarfed and BlueCasting are totally two different things ..

    Bill the point is, the BlueSnarf demonstrates the attacks are invisible — no prompt or action by the phone owner is required — did you actually watch the presentation? Security experts advise that the only foolproof protection against the attack is to not leace your phone’s bluetooth switched to ‘discoverable’.

    Bluecasting relies heavily on discoverable bluetooth.

  • David Johnson

    if a end-user sees the bluecast symbol and says to ones’ self hey I would like to find out more about that, then they would enable their bluetooth – get the info they need then turn it off.
    In my experience bluetooth does chew into the battery, this is a pain if you use your phone as much as my sister does.

Recommended

Learn Coding Online
Learn Web Development

Start learning web development and design for free with SitePoint Premium!

Get the latest in Front-end, once a week, for free.