Wednesday, August 31, 2005

iTunes and BlueTooth: the Potential for a Major Boo-Boo

InternetNews reports that Cingular will be offering iTunes on a Motorola Phone:

Apple is set to announce a Cingular mobile phone loaded with special iTunes software, Ovum analyst Roger Entner confirmed...

Motorola and Apple initially announced the phone partnership in July 2004. The plan is to let people transfer songs from the iTunes jukebox on the PC or Mac to Motorola handsets via a USB or Bluetooth connection, as well as to buy songs directly over the air from the iTunes Music Store...

Why did I highlight the word BlueTooth?

  • Weaknesses in the BlueTooth pairing process: recently discovered flaws in the BT protocol may result in sniffing or hijacking of your "private" BT traffic. When we combine these vulnerabilities and powerful hacking tools like the BlueSniper rifle... well, you get the picture.

  • Thieves are already using BT phones to find enabled laptops in parked cars, which they then break into and steal. There's no reason that thieves couldn't sniff out highly desirable iTunes phones.

  • Advertisers are already spamming unsolicited content to BT phones at a distance of 100 meters (with longer distances possible).

  • Bruce Schneier notes:

    Sure, it's annoying, but worse, there are serious security risks. Don't believe this:

    Furthermore, there is no risk of downloading viruses or other malware to the phone, says O'Regan: "We don't send applications or executable code." The system uses the phone's native download interface so they should be able to see the kind of file they are downloading before accepting it, he adds.

    This company might not send executable code, but someone else certainly could. And what percentage of people who use Bluetooth phones can recognize "the kind of file they are downloading"?

    We've already seen two ways to steal data from Bluetooth devices. And we know that more and more sensitive data is being stored on these small devices, increasing the risk. This is almost certainly another avenue for attack.

    Unless these phones are shipped with (a) BlueTooth disabled by default; and (b) the ability to patch BT-firmware, I think I'd take a rain-check. As President Reagan used to say, "Trust, but verify."

    I'd want to be sure about BT support in any phone, especially a leading-edge, iTunes-enabled one.

    1 comment:

    Anonymous said...

    Can anyone recommend the best Network Monitoring software for a small IT service company like mine? Does anyone use or How do they compare to these guys I found recently: N-able N-central software distribution
    ? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!