BLUESNARFING-Another Hacking Technique

Bluesnarfing-Mobile Hacking

What is Bluesnarfing?
Ans:Bluesnarfing is the unauthorized access of information from a wireless device through a bluetooth connection, often between phones, desktops, laptops, and PDAs that allows access to calendar, contact list, emails and text messages, and on some phones users can steal pictures and private videos,from Mobile or any other bluetooth device.


Watch video for Bluesnarfing




BlueSnarf exploits weak OBEX implementation on mobile phoneBlueSnarfexploitsweakOBEXimplementationonmobilephonesOPP: Object push profile, unauthorised access, for vCardOPP:Objectpushprofile,unauthorisedaccess,for vCardsSYNCH: Profile for exchange of private dataSYNCH:ProfileforexchangeofprivatedataCalendar, contacts, pictures, …Calendar,contacts,pictures,…Authorised access!Authorisedaccess!.Adv connects to OBEX push profileNo authentication, no pairing needed .invisible connection .In vulnerable implementations:.SYNCH profile exists parallel to OPP .Adv: retrieve files via filenames .Unauthorised, via OPP profile !!! .e.g. GET telecom/pb.vcf (contacts) Bluetooth being short range technology: NO security feature!

Method
In order to perfom a BlueSnarf attack, the attacker needs to connect to the OBEX Push Profile (OPP), which has been specified for the easy exchange of business cards and other objects. In most of the cases, this service does not require authentication. Missing authentication is not a problem for OBEX Push, as long as everything is implemented correctly. The BlueSnarf attack connects to an OBEX Push target and performs an OBEX GET request for known filenames such as 'telecom/pb.vcf' for the devices phone book or 'telecom/cal.vcs' for the devices calendar file. (There are many more names of files in the IrMC Specification). In case of improper implementation of the device firmware, an attacker is able to retrieve all files where the name is either known or guessed correctly.