Folks- I'm getting interview requests on the (lack-of) privacy aspects on mobile phones and need some help formalizing my ideas. I've included an article on bluejacking (exploiting bluetooth to extract info from mobile phones) below, but what I'm really interested in is methods to turn on the microphone on a mobile phone without the owner's awareness. Has anyone done this or heard of an exploit to do this yet? I can see three methods off-hand: 1) Bluejacking the phone, sending over a Java app, turning on the mic, and either a) sending the audio over bluetooth b) actually calling back the cracker's phone directly (either immediately or in a time-delayed fashion) c) storing the audio on the owner's phone and then uploading the data at a later time (with PDA cell phones with 4G flash cards, you could store a full year's worth of speech) 2) Having a Java (J2ME) trojan horse app on a website that, when the owner clicks on it, does variants of 1 3) The "service provider" remote downloads software "updates" that do the same thing as #1. (Does anyone have specific knowledge of service providers uploading software updates remotely) a) because the service provider is being forced to do so by a government agency (e.g. in the US based on a subpoena using the FBI wiretap law, for example) b) because the service provider is actually a cracker who got the appropriate software update codes c) because the service provider just thinks this is a good idea for some reason (I can put together some pretty paranoid scenarios for this, but nothing that is really compelling yet) (Note with some of these scenarios, the phone could actually look "off" because almost all phones use soft switches instead of actually disconnecting the power) Other things I'm interested in are 1) When the mobile phone is off, exciting the phone at the carrier frequency, looking at the back scatter, characterizing the specific characteristics of the phone, and then using these as a unique signature that I can use the phone like a passive RFID. I have a pretty good source that says this is actually being done now, but I can't use this info publicly. Anyone have a source I can quote or point to? 2) Using clusters of phones as phased array microphones. Sumit Basu did a phased array microphone based on mics in clothing where the topology was changing. Does anyone know if the math works well enough to do this on a room full of cell phones in people's pockets? Thad ------------ Bluetooth May Put You At Risk of Getting 'Snarfed' By JEREMY WAGSTAFF Staff Reporter of THE WALL STREET JOURNAL April 15, 2004; Page D3 If you spot someone tailgating you on the road or standing next to you wearing a backpack, then watch out: You may have been "snarfed." All the data on your cellphone, including addresses, calendars, whom you called and who called you, may now be in that person's computer. Many cellphones use Bluetooth technology, which allows them to communicate wirelessly with other Bluetooth-equipped devices -- computers, personal-digital assistants and other cellphones. This means you don't need a cable, for example, to synchronize the address books on your laptop and your cellphone. It is convenient, but that makes it possible for someone to steal your data, or even hijack your cellphone for their own purposes. Last year, London security consultant AL Digital spotted flaws in the way some Bluetooth cellphones swapped data with one another -- flaws that could be used to gain unauthorized access to everything stored on that phone without the user ever knowing. AL Digital's Adam Laurie, who discovered the problem, shared his findings with cellphone makers and with the public (leaving out the detail that might allow ne'er-do-wells to copy his experiments at street level). He termed the trick Bluesnarfing. Not a lot has happened since then. Nokia Corp., the market leader in the cellphone industry, acknowledges the flaw but says in an e-mail response to questions that it is "not aware of any attacks against Bluetooth-enabled phones." Sony Ericsson, a joint venture of Telefon AB L.M. Ericsson and Sony Corp., didn't reply to an e-mail. Even those highlighting the danger say they haven't heard of specific attacks. Still, these attacks -- also known as Bluejacking -- nevertheless are possible. Mr. Laurie cites a scenario in which paparazzi could steal celebrity data. He says he was able, with permission, to snarf from a friend's phone details of her company's shops, door codes and safe combinations. "There's any number of angles you can look at, and they are all bad as far as I can see," he says. Martin Herfurt, a 27-year-old German student at Salzburg's Research Forschungsgesellschaft, last month set up a laptop at a technology trade fair in Hannover, Germany, and ran a snarf attack. He found nearly 100 cellphones from which he could have stolen data, sent text messages or even made calls. He has published his findings to prove that this kind of thing can be done easily. How does it work? The attacker can use a Bluetooth-enabled laptop to discover other Bluetooth gadgets within range. Anything with Bluetooth activated and set to "discoverable" will show up, usually identified by its default device name. Being "discoverable" means your gadget is visible to anyone searching, but even if it isn't, an attacker still can find it, using software freely available on the Internet. The attacker then can use more software to take, delete, change or add data. So what is a consumer to do? Turn off Bluetooth on your phone unless you really need it to communicate with your other gadgets. In most cases, phones that have Bluetooth will have prominently displayed the fact on the box the phone came in, or you can expect to find "Bluetooth" in the index of your phone's manual. Otherwise, the Bluetooth settings can usually be found in the "Communications" or "Connections" menu on your phone. More importantly, there shouldn't be anything on your phone that you don't want someone else to have. Write to Jeremy Wagstaff at jeremy.wagstaff@feer.com4 --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'