The NY Times fumbles Bluesnarfing at the Oscars

bluetooth logo

Has the New York Times fallen prey to the hysteria over Bluesnarfing? John Markoff and Laura M. Holson have an article today about how one of the guys from Flexilis spent the Academy Awards hanging out front trying to Bluesnarf celeb's phones. Purely for research purposes, of course, and the piece makes it clear that they didn't actually "tap into" anyone's phones and grab any sensitive data.

Yes, using Bluetooth to grab sensitive data from a cellphone is possible, but the article is misleading from the very first paragraph, saying that as many as "100 people who walked the red carpet had cellphones vulnerable to the kind of privacy invasion that recently gained Ms. Hilton a new round of unwanted notoriety." This is incorrect. Paris Hilton's cellphone, the T-Mobile Sidekick, doesn't have Bluetooth, and isn't vulnerable to the "same kind of privacy invasion." You can split hairs and say that they're talking about the taking data itself, regardless of how it's accessed, as the privacy invasion, but then you might as well talk about how Gmail or Hotmail is vulnerable to the same kind of privacy invasion if someone manages to hack into your account.

They make it worse a little later in the piece when they write that ?50 to 100 of the attendees had smart cellphones whose contents - like those of Ms. Hilton?s T-Mobile phone - could be electronically siphoned from their service providers? central computers.? Again, this is incorrect. The Sidekick stores its data on a central server, but very, very few cellphones do this. Bluesnarfing a cellphone to grab its directory or whatever would not give you access to a service provider?s central computer.

Then even more confusingly, they don?t specify what percentage of these 50 to 100 handsets with Bluetooth that Flexilis detected were in discoverable mode or not. This actually does make a big difference in how easy it is to grab data off of a Bluetooth-enabled cellphone, and most handsets have discoverable mode disabled by default. Yes, it?s messy and the particulars can be difficult to explain, but you can?t do a story about Bluetooth security without talking about how Bluesnarfing is generally only possible under specific circumstances; discoverable mode, for starters is one of them. And yes, while it?s possible to Bluesnarf without a phone being in discoverable mode, it?s far, far more difficult.

So rather than address any of the actual subtleties of what?s going on or make a realistic assessment of the threat (which exists, but by all accounts is actually pretty minimal), the Times decided to just accept at face value the claims of a publicity-hungry security firm (remember, these companies literally have to scare up business) in order to deliver a story about celebs and cellphone security that would somehow tie into what happened to Paris Hilton, and make it sound like what happened to her could happen to anyone. Bluesnarfing is real, but eliding the differences between Bluesnarfing and the hacking of Paris Hilton?s Sidekick is not just irresponsible, it?s ultimately counterproductive to the entire discussion about cellphones, privacy, and security.