Bluejacking 'a harmless prank`

By Stephen Whitford, ITWeb contributor
Johannesburg, 25 Nov 2003

Cyber teens abroad are catching onto a new prank, in which they use Bluetooth technology to send messages to unsuspecting strangers in public places.

Victims could be enjoying coffee in a restaurant when their cellphones beep to announce they have received a business card. The surprise "business card" might contain a message such as "nice cappuccino", leaving the recipient bewildered and the prankster highly amused.

The new prank has been named "bluejacking". Using Bluetooth, a business card can be sent from one cellphone address book to another, as one would with infrared. However, Bluetooth`s range is further, extending to any cellphone within 10m. This allows a prankster to be out of direct line of sight and still send a message. The technology also enables users to search for a Bluetooth-activated phone in an area, to find potential "victims".

Bluejackers are not able to send long messages, as the receiver of the Bluetooth message has to accept the transmission.

It is often unsettling for the victim, especially when the message is specific to their situation, ie "cool Ferrari cap". If a phone is able to send detailed business cards, messages can be placed within the name, cellphone number and e-mail fields.

Malaysian origins

This bluejack phenomenon started after a Malaysian IT consultant named "Ajack" posted a comment on a mobile phone forum. Ajack told ITWeb that he used his Ericsson cellphone in a bank to send a message to someone with a Nokia 7650.

Becoming bored while standing in a bank queue, Ajack did a Bluetooth discovery to see if there was another Bluetooth device around. Discovering a Nokia 7650 in the vicinity, he created a new contact and filled in the first name with 'Buy Ericsson!` and sent a business card to the Nokia phone.

"A guy a few feet away from me suddenly had his 7650 beep. He took out his 7650 and started looking at his phone. I couldn`t contain myself and left the bank," he says.

Ajack then posted the story on a mobile Web site and other people started trying it out.

"I gave it the name bluejacking (taken from the words Bluetooth and hijacking) and it has just taken off from there."

He says bluejacking is common in Malaysia and is happening everywhere there are lots of Bluetooth devices.

Bluejacking has become popular among young people wanting to play practical jokes. A 13-year-old named Ellie from Surrey in the UK has started a dedicated bluejacking site called bluejackq. The site explains what bluejacking is and also has forums where people can share their bluejacking experiences.

Security worries

However, concerns about bluejacking were raised earlier this month when security firm AL Digital published a report that suggested there are a number of security problems with Bluetooth devices.

"Bluejacking promotes an environment that puts consumer devices at greater risk because of serious flaws in the authentication and/or data transfer mechanisms on some Bluetooth-enabled devices," it said.

It stated that the phonebook and calendar can be obtained, anonymously, and without the owner`s knowledge or consent, from some Bluetooth-enabled mobile phones.

It also claimed that the complete memory contents of some mobile phones can be accessed by a previously trusted paired (a direct connection accessed through a password) device that has since been removed from the trusted list. This data could include the phonebook, calendar, pictures and text messages.

However, the report was later questioned in an article published on The Register, in which TDK Systems MD Nick Hunn said the research posed little cause for concern.

Hunn said the report was incorrect because in order for information to be duplicated, the devices would have to be paired. Bluejacking does not, as the report stated, require a password to be entered and therefore the two devices are not paired, he explained.

He said bluejacking doesn`t hijack the phone or harvest information, but simply presents a message, which the recipient can delete, ignore or read.

Ajack agrees. "Bluejacking is not a security risk as Bluetooth is secured by design and one does not pair the two devices in order to bluejack. While it can be a nuisance, one can easily switch the Bluetooth off to avoid getting bluejacked."

Clickatell key sales consultant Gary Cousins says that while he hasn`t heard of any cases of bluejacking happening locally, "with more and more cellphones having Bluetooth functionality, it`s just a matter of time".