Now this may all sound far fetched and the stuff of Hollywood spy movies, and, indeed, it has been called just that by some observers and members of the telecoms industry. However, independent tests and field trials have shown over and over again that significant numbers of devices are out there, in the wild, and totally vulnerable. My own tests have shown that it is more or less impossible to be out of range of a Bluetooth enabled device when in any densely populated area of the UK, and similar data exists for other parts of Europe. Of these devices, many of the older (but most popular) mobile phones are vulnerable, and these number in the hundreds of thousands if not millions. Again, my tests showed that during the evening rush hour on the London Underground, I was seeing a new potentially vulnerable device once every 10 seconds.
Having said all that, it's not all doom and gloom. The industry as a whole, and the Bluetooth SIG in particular, seem to be cleaning up their act and addressing the problems. The SIG have initiated a program of security testing at their regular “Unplug Fests” -the forum in which manufacturers get together to perform interoperability tests -and have raised the profile of security within their own roadmap and specification program to ensure that these issues are at the forefront of manufacturer's and developer's minds in the future.
It seems that the handheld, and, in particular, the mobile phone industry, is going through the same painful process the software industry went through at the outset of the Internet. Suddenly, what was a very closed industry has opened it's doors to the masses, who are free to poke around in their technology, and do not need to abide by the rules. In the early days of the Internet, the standard response to a security problem was to deny everything and hope it went away. Now they tend to work with the (hopefully ethical) hacker that first found and reported the problem, and release fixes as soon as possible. Let's hope the embedded device guys learn from this quickly, and get the infrastructure in place to do the same, and, indeed, the response of the SIG is certainly a step in the right direction.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.