A while ago I wrote about bluejacking, a fun way of using Bluetooth to zap a message onto the screen of any nearby Bluetooth-enabled mobile phone. But now there’s a new technique that’s much nastier: Bluesnarfing. Bluesnarfing is a technique for wirelessly reaching inside a Bluetooth phone and stealing any contact information stored in it.

It was discovered by a security officer in the UK who was testing the security of some Bluetooth handsets. As ZDnet reports:

Laurie said he discovered the problem when he was asked to test how safe Bluetooth devices actually were. “Before we deploy any new technology for clients or our own staff, one of my duties is to investigate that technology and ensure it is secure. Actually rolling your sleeves up and looking at it, not just taking the manufacturers’ claims at face value. When I did that, I found that it is not secure,” he said.

According to Laurie, he can initiate a bluesnarfing attack from his laptop after making a modification to its Bluetooth settings: “It is a standard Bluetooth-enabled laptop and the only special bit is the software I am using in the Bluetooth stack. I have a modified the Bluetooth stack and that enables me to perform this attack,” he said.

Bluesnarfing has huge potential for abuse because it leave no trace and victims will be unaware that their details have been stolen: “If your phone is in your pocket, you will be completely unaware,” he said.

This is an interesting gloss on the posting I wrote yesterday about cracking a system to try and examine its security, or lack thereof. In this case, a security official tried to invade a system — and in doing so, usefully exposed a problematic vulnerability.