Bluesnarfing vs. Bluejacking: Top 4 Differences You Should Know

In November of the same year, network security expert Adam Laurie independently identified this Bluetooth security flaw once again. Laurie published a vulnerability disclosure that detailed the vulnerabilities detected within Bluetooth devices. He also contacted device manufacturers and specified the vulnerabilities to them.

The vulnerability disclosure published by Laurie mentioned critical flaws in the data transfer and authentication mechanisms of certain Bluetooth-enabled electronics. The first vulnerability discovered was the ability to obtain data anonymously without the consent (or even knowledge) of the owners of certain Bluetooth-enabled mobile phones.

The disclosure also noted that some mobile phones allowed previously paired devices to access their complete memory contents, even if those previously paired devices had since been deleted from the ‘paired Bluetooth devices’ list.

A colleague of Laurie, Martin Herfurt, discovered yet another vulnerability: the ability to access voice, messaging, and data services via ‘bluesnarfing.’

Some sources mention Laurie as the first discoverer of bluesnarfing and credit him with coining its name — a combination of ‘Bluetooth’ and ‘snarfing,’ a jargon used in the technology field that means taking unauthorized copies of data.

Soon, bluesnarfing became public knowledge. Toward the end of 2003, cybercriminals from around the world were attempting to make software to exploit the highlighted vulnerabilities in Bluetooth devices.

This bluejacker reportedly targeted a single Nokia 7650 phone owner in a Malaysian bank. His messages advertised Ericsson. The term ‘bluejacking’ was purportedly invented by the same person — an amalgam of ‘Bluetooth’ and ‘ajack,’ his username on an online Sony Ericsson fan forum. However, ‘jacking’ is also a common shortening of the word ‘hijack.’

While the original forum posts created by ajack are not easily found, this exploit is commonly referenced in other posts from 2003.

However, this origin story is disputed by another forum user who claims earlier discovery. Their story is nearly identical to the one attributed to ajack; however, in this version, 44 Nokia 7650 phones were bluejacked instead of just one.

The location is also not a Malaysian Bank. Instead, it seems to be a garage in Denmark. Finally, the messages were not advertisements for Sony Ericsson but insults to Nokia owners.

Bluesnarfing, like bluejacking, involves Bluetooth connectivity; however, it is a distinct type of attack with a far more serious impact.

The methodology a bluesnarfing attacker uses typically involves targeting geographic locations with a high footfall, such as shopping malls and airports. This is because Bluetooth has a limited range of around 10 meters or 30 feet. Therefore, attackers must first be near their victims. Some attackers bypass this restriction by using specialized tools for ‘bluesniping’ their victim’s device from further away.

Executing a bluesnarfing attack involves exploiting vulnerabilities in the OBEX protocol of a Bluetooth-enabled device. This protocol is used for data sharing.

Earlier forms of bluesnarfing involved manually scanning for discoverable Bluetooth devices within an attacker’s range. The attacker would then attempt to manually pair with their victim’s device if it was not protected with a security PIN.

Today, bluesnarfing software has simplified this process for attackers. Bluediving is one of the more common software programs for bluesnarfing. It identifies vulnerable devices and even contains automated tools that can exploit these devices’ vulnerabilities post-identification.

Using Bluediving and similar software is quite simple. The attacker just needs to launch the process. The software will then automatically conduct a scan to detect nearby devices and identify the ones with a vulnerability in their OBEX protocol. The software will then pair with the target devices over a Bluetooth connection.

Once pairing is completed, the software will even automate the exploitation of existing vulnerabilities in the OBEX protocol of the target devices. If the process is successful, it will give the attacker access to the target device(s).

Bluediving and similar software can also allow attackers to download data from a target device. The software would even enable the cybercriminal to attack the victim’s IMEI number and phone number without the victim’s awareness.

The transmitted data can include messages that might be mistaken as coming from the victim’s device. They could also be messages correctly identified as being transmitted from an unfamiliar device. Regardless, most security experts consider bluejacking to be a low-level threat that is not capable of causing significant harm to the victim.

To carry out a bluejacking attack, the attacker begins by finding a Bluetooth-enabled device within their geographic vicinity. This step is similar to the methodology used for a bluesnarfing attack; however, the similarities end here.

Next, the bluejacker will pair their Bluetooth-enabled device with that of the victim. If the target device is protected with a password or PIN, the attacker would need to authenticate themselves to complete the connection successfully. For this, brute forcing software can be used. Such software automatically cycles through password combinations until the right one is found.

Once the connection is established, the attacker can spam the victim with messages, images, audio files, and other media.

A simple way to transmit messages via bluejacking is by using the ‘send a contact’ feature. To do so, the attacker would need to open their contacts app and create a new contact. However, instead of saving a proper name, phone number, or email address, the bluejacker would save the message they wish to transmit instead of the contact name and leave the rest of the fields optionally blank.

Once the recipient receives the contact card and opens it, they will receive the message.

But that’s not the worst that can be done through bluesnarfing. Attackers can also use this attack medium to access the calling and messaging capabilities of the target device. This allows bad actors to use the compromised smartphone to call and message others.

Messages and calls meant to be received on the victim’s phone can also be diverted to a different number. Additionally, the attackers could make expensive international calls using the victim’s phone, leading to the target incurring financial losses.

It is also possible for an attacker to hide from their target the fact that they have been subjected to a bluesnarfing attack. Therefore, victims might not even know that their devices have been compromised. This allows for repeat attacks.

Bluesnarfing could have a potentially life-changing impact on a victim. The attacker could defraud their contacts through calls and messages (perhaps by soliciting money) or ruin their reputation by transmitting private information to their contacts. That’s not all! Bluesnarfing can even allow attackers to install malware on the target device.

Theoretically, a sufficiently skilled attacker can also use their victim’s device for serious felonies such as kidnapping. Through bluesnarfing, the victim’s phone would be used to send messages and call the loved ones of kidnapping victims. The attacker’s identity would be masked in such a scenario, and the person whose device was targeted through bluesnarfing would be presumed somehow responsible for the incriminating communications.

Messages sent via bluejacking are generally anonymous, and the recipient can only view the name and model number of the bluejacker’s device.

Technically speaking, bluejacking is an infringement of the receiver’s personal property. However, it is not considered illegal in most jurisdictions since it does not access the recipient device or the data contained within it in any way or cause any other harm.

This does not mean that bluejacking cannot be dangerous. For instance, the attacker would theoretically be able to send their victim phishing messages and lead to them visiting a link that installs malware onto their device.

However, realistically speaking, this mode of attack is not a major cybersecurity concern. Since the attacker would have to be physically close to their victim, they would be at high risk of being discovered. Attackers are more likely to use more sophisticated cyber threats that do not involve getting physically close to their targets.

i) Switch off Bluetooth

This is the simplest possible tip to avoid both bluesnarfing and bluejacking. Even Adam Laurie recommended switching off Bluetooth entirely in his vulnerability disclosure, mentioning that it is a sure-shot way to counter bluesnarfing.

Technology and cybersecurity have progressed immensely since then; however, the statement is still true today. Bluesnarfing attacks rely on an active Bluetooth connection for their success, and simply switching off Bluetooth would shut them out of an electronic device.

However, in many cases, devices require Bluetooth to be on constantly, and this countermeasure is not always feasible.

ii) Update the device regularly

Phone manufacturers release regular security updates and software patches for users. These measures help address identified vulnerabilities in devices, thus providing users with improved system security. Users should install software updates as soon as possible after they are released.

Besides this, newer devices are far better protected against bluesnarfing than older systems. For applications where Bluetooth has to be constantly turned on, it is therefore recommended that users get more modern devices to minimize the risk of bluesnarfing.

iii) Switch off Bluetooth discoverability

Many Bluetooth devices are set as discoverable by default. This gives other Bluetooth devices the ability to detect and connect with them.

However, users can turn off this default behavior from their Bluetooth settings, thus making their device undiscoverable or hidden. This setting does not switch Bluetooth off but only prevents other Bluetooth devices from being able to find the user’s device.

However, while this method decreases the probability of a bluesnarfing attack, it does not completely remove it. Turning discoverability off hides the device’s media access control (MAC) address from the network. This is the address used by Bluetooth devices to identify and communicate with each other.

Nevertheless, a sufficiently determined attacker could use brute force to guess the correct MAC address and carry out a bluesnarfing attack even with device discoverability turned off.

iv) Use multi-factor authentication

Multi-factor authentication (MFA) is a security feature available for Bluetooth connections on certain devices. It requires users to provide additional identification before pairing with another Bluetooth device. MFA makes it harder for unauthorized users to connect with the device over Bluetooth.

This measure can be particularly helpful in preventing bluesnarfing. This is because MFA ensures that only verified users can connect to the device over Bluetooth. This feature is highly effective when combined with a strong password. Additionally, it can provide damage control if an attacker gains access to a device through bluesnarfing, as it will limit what they can access.

v) Do not pair with unrecognized devices

Finally, a common-sense measure to minimize the risk of bluesnarfing is to avoid pairing with unfamiliar devices over Bluetooth. Basically, pairing requests not initiated by the user should not be accepted unless they are confident that it is safe. Manual verification is also important, as attackers can simply use familiar names to trick users into pairing with their devices.

For additional safety, it is best to avoid pairing Bluetooth devices in a geographic area with many other devices available when connecting for the first time. This prevents attackers from hijacking the pairing process.

i) Switch Bluetooth off or limit the usage

This is the top tip to prevent bluejacking, especially in public places. Users not actively using Bluetooth should ideally keep it off, as this not only helps evade attacks but also minimizes the tracking of location and other parameters. Shutting down discoverability can also help.

ii) Update Bluetooth device

This measure is common for countering both types of attacks. Updating the operating system of a Bluetooth device is a great way to plug any cybersecurity loopholes that would otherwise make bluejacking easier.

iii) Don’t engage with unknown messages

Users should ensure they do not engage with unknown links, images, contacts, or other media received from a bluejacker. This includes opening files, tapping on links, or responding to messages. The safest possible countermeasure to an active bluejacking attack is deleting incoming media or simply ignoring the bluejacker.

iv) Keep calm

Finally, it is important to remember that a panicked reaction is usually what a bluejacker hopes for. Responding without thinking could lead to costly mistakes.

If a user receives an unexpected message from a bluejacker, it would be wise to take a moment and recognize what is happening, after which the situation can be responded to more effectively.