Bluetooth Marketing Blog

A commenter on this blog recently expressed a strong concern about security when offering Bluetooth marketing services in public places. The commenter was concerned that consumers would be inundated with hacker generated unwanted downloads akin to SPAM called bluejacking. Along with this is another security concern called bluebugging where a phone hijacked to make free calls.  An even worse concern is the possibility of a hacker stealing address books or other personal information from a consumers’ phone – which is called bluesnarfing.

Clearly the belts and braces method of preventing any of these occurring is, of course, for you have your Bluetooth radio turned off on your phone or your discoverability turned off. But honestly, this is the equivalent of telling a PC user that if they are to avoid security problems then they should not connect to the Internet! It’s just not that realistic as good advice now that Bluetooth usage is so widespread extending even to cars.

The point at issue here is that nobody can ever avoid the possibility of their security being compromised somewhere along the line as its one of the characteristics of living in the 21^st century. Moreover, no service provider, standards provider or software author could ever guarantee that their systems are 100% secure. If they did, nobody would believe them. We only need to look at the number of never-ending security patches we receive each month from Microsoft to see that.

Let’s get back to bluejacking, bluebugging bluesnarfing. I am interested in getting a better understanding of whether they are of real concern in 2009 even though, from Hypertag’s perspective, we have never had an identifiable example of this in all the years of running large Bluetooth marketing campaigns around the world.

When a Bluetooth radio on a mobile phone is turned on, there are two ways a hacker can possibly interact with that phone; through the use of OBEX and through pairing.

OBEX or Object Exchange: This is the Bluetooth mobile phone standard for exchanging business cards, data or even applications and this is the technology that Hypertag uses to download content if the consumer actively decides they wish to accept it onto their mobile phone.

It should be remembered that even if the consumer is highly concerned about security and has their Bluetooth radio on their mobile turned off they can still safely interact with a Hypertag content server though OBEX.

As they pass near a Hypertag content server, they will see a poster that asks them to “turn on their Bluetooth if they want to download the content on offer.” If they do, they will then receive an image that clearly identifies that they are connected to the Hypertag server and asks “whether they wish to down load the content.” Thus the consumer knows where the content is coming from. Once downloaded, the consumer is free to turn their Bluetooth radio off again or make it non-discoverable.

Is it possible for a hacker to be lurking close by ready to spoof the Hypertag content server and hack into a consumer’s phone? Yes, it’s possible but it’s highly unlikely in the real world. One rule of hacking states that the value of the content has to be worth more than the effort required and, to my mind, this does just not pass that test. In any case, according to guidance from the Bluetooth SIG (Bluetooth Special Interest Group), “Phone owners who receive bluejack messages should refuse to add the contacts to their address book.” With nearly all new phones, it is now necessary for the owner to take some action to allow Bluetooth access, so theft of data or media (or even the ability to push stuff into the phone) must be pretty low.

Bluetooth pairing: Anyone who has used a Bluetooth hands-free earpiece understands pairing. The process is initiated by turning on the mobile phone Bluetooth radio and making it discoverable. The hands-free earpiece then ‘discovers’ the phone and ‘pairs’ with it. A PIN is exchanged and all data traffic is then encrypted between the phone and the earpiece. Once achieved, discoverability is turned off until it is again needed. Hypertag does not use pairing for Bluetooth marketing applications.

Clearly, consumers should NOT ever pair with any device that they are not sure about – especially in a public location. This is plain common sense and will prevent any possibility of bluebugging or bluesnarfing.

The million dollar question – should brand owners, retailers or media agencies be really concerned that a Bluetooth marketing campaign could be hijacked by hackers?

According the authoritative industry standards body that looks after Bluetooth standards, the Bluetooth SIG:

• “Only specific older Bluetooth enabled phones are susceptible to bluesnarfing.”
  
• “Both Nokia and Sony Ericsson have developed software upgrades for phones vulnerable to bluesnarfing and bluebugging. Both companies have also worked hard to make sure new phones coming to market will not be susceptible to these attacks.”
  
• “The Bluetooth SIG continues to study security risks associated with the technology and determine their viability as the technology spreads and develops.”
  
• “Theoretically a hacker can monitor and record activities in the frequency spectrum and then use a computer to regenerate the PIN codes being exchanged. This requires specially built hardware and thorough knowledge of Bluetooth systems.” “This is an academic analysis of Bluetooth security. What this analysis outlines is possible, but it is highly unlikely for a normal user to ever encounter such an attack.”

We agree with these observations and my personal view is that the occurrence of Bluetooth hacking of any sort is only a remote possibility. Hypertag’s experience to date confirms this. Of course it is possible, but I believe it’s far more possible that I could download spyware through my PC browser than come across a Bluetooth hacker; however, we should all remain alert to the possibility.

Googling the Internet looking for up-to-date concerns about bluesnarfing seems to only turn up articles dating from the early days of the Bluetooth standard. Yes, we should always be concerned about security issues when providing any sort of public communication system, but we believe that the benefits of implementing Bluetooth marketing campaigns far outweigh the risk of bluejacking or bluesnarfing – until we’re proved wrong. In that case, we will update our technology to address the issue.

Chris Gare