Man, right when you think a technology is cool, something happens and before you can even blink twice, it’s exploited and some bad person somewhere has figured out a way to turn it against you.  We’ve talked about it before with the BlueSpamming, BlueSnarfing and the likes, and now, I just found out that the altogether hip, altogether now Apple iPhone isn’t immune to stuff just like this.

I just read an article that packs a pretty serious security warning for all you Apple fans out there drooling over your touchscreens…Apparently, a feature that allows you to simply tap a phone number on a displayed web site, called a Web Dialer, is totally open to some pretty scary stuff.  The article mentions that, “hackers can exploit this feature by redirecting calls to expensive 900 numbers or mount personal attacks by spying on the numbers dialed.”  Yikes.  So while you think you’re dialing the number of a pizza joint, what’s really going down is you’re dialing some crazy Escort Service in Budapest and being charged for it.  Not only that, they can learn who you call, when you call them, and knowing the lengths these morons go to, a whole lot more information you’d never want out.  Not fun.

Here, for your viewing pleasure, are a few more fun things they could do to you (not to make you even sicker about this)

• “redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing;
• tracking phone calls placed by the user;
• manipulating the phone to place a call without the user accepting the confirmation dialog;
• placing the phone into an infinite loop of attempting calls — the only escape is to turn off the phone; and
• preventing the phone from dialing.”

Wow.  Head over, bone up on your anti-escort service-protection, and take appropriate steps to disable this service for now.  Trust me, your phone bill and your spouse will thank you.

Tags:900 numbers, apple iphone, bluesnarfing, escort service, personal attacks, service protection, touchscreens web dialer

Share This

Q. If people can broadcast TO my Bluetooth headset, does that mean they can listen in?

A. Ever since Tyler first posted about his dislike of ‘Bluecasting’ (also known as Bluejacking) , it’s got a lot of people asking me - if it’s so easy to push unwanted information TO a Bluetooth headset, does that mean people can PULL information through my Bluetooth device, too?

The simple answer is yes.

Since almost the very moment Bluetooth was released, hackers have been building ways to crack it.

The first Bluetooth breaches were through an early security hole. Nicknamed “Bluebugging: “, hackers took advantage of this backdoor to eavesdrop as well as access and even overwrite a phone’s address book and text message files. As with any Bluetooth security breach, the hacker had to be within 30 feet of your phone.

Starting in 2005, most new Bluetooth-enabled phones were cured of this, although hackers are always writing new code and new programs to breach security.

As that hole was being plugged, hackers discovered that Bluetooth phones in ‘Discoverable’ mode could be accessed . This is called “Bluesnarfing“.

Unauthorized users ‘pair up’ to your Bluetooth and once linked, can steal the whole of your phone book, that’s your whole contact list, your calendar, your stored pictures, even your ring tones.

There is also something called a ‘DoS’ attack. A Denial-of-Service is a malicious hacker who broadcasts a code that makes your device unavailable to you until it reboots (turned off and then turned on again). There’s usually no breach of your information in a DoS attack, or harm to your headset or phone. It’s just idiocy for idiocy’s sake.

Should these security concerns keep you from buying and using say… a new MoGo headset?No. The good news is that there are things you can do to keep your calls and information safer.

1) Turn off discoverable mode.

Most phones are “visible” (or set to ‘Discoverable mode’) by default when Bluetooth is switched on. The safest mode is ‘Non-discoverable’:

1. Non-discoverable mode: Does not respond to inquiry - highest safety for your phone. .
2. Limited discoverable mode (or ‘Hidden’): Discoverable only for a limited period of time, during temporary conditions or for a specific event - this provides medium safety.
3. General discoverable mode: Discoverable continuously or for no specific condition - no safety from Bluejacking or Bluesnarfing.

2) Use a strong PIN code for you headset.
Not only should you choose a strong PIN, you should also be careful not to use it in public where it can caught by someone watching. If your headset and phone become unpaired, go somewhere private to link them back up .... not standing in the middle of the mall.

3) Never, ever let an unknown device pair to your phone. Periodically watch the Bluetooth symbol on your phone. If it looks different, or you see an unexpected message appear on your device asking to pair up, well, to quote Nancy Reagan - just say NO.

Unsure what the Bluetooth symbol is supposed to look like? Apple has a great article showing all the Bluetooth icons and their meanings here.

4) Keep Moving. PC Today said it well: “Unless your attacker has invested vast amounts of time and money in a long-range Bluetooth transmitter/receiver, chances are great that they will be operating within standard Bluetooth range (within 10 meters [33 feet]). If you notice something wacky happening with your smartphone or PDA and don’t know what else to do, simply get up and move away.

“If you are on a bus, train, airplane, or other confined area, simply power off your device and wait to see who reacts. If you catch them, make sure to give them a dirty look. ”

————————————————————————————————

On Fridays, MoGo Mobility’s Elizabeth will seek to answer your MoGo (and non-MoGo) technical questions.

Elizabeth is a professional writer & geek with most of the last decade spent in senior management at a leading global IT provider. Thousands have attended her seminars in the US & Canada on subjects ranging from basic TCP/IP networking to high-end data storage solutions.

Got a question? Ask Elizabeth.

Tags:answer is yes, bluejacking, bluesnarfing, bluetooth device, bluetooth enabled phones, bluetooth headset, bluetooth security, breach security, cell phone, contact, dos attack, eavesdrop, even overwrite, hackers, headset, idiocy, malicious hacker, mogo, security, security breach, security hole, simple answer unauthorized users

Share This