• PC World
• »Phones

By next year, research firm IDC predicts, at least half of all new cell phone buyers will take home a Bluetooth-capable phone--one that lets the user wirelessly connect it to PCs or to accessories such as headsets. But the networking feature may also give any nearby person who has a laptop and some specialized programs the ability to steal data from the phone or to eavesdrop on the user.

Earlier this year, two security researchers, Adam Laurie and Martin Herfurt, created a collection of hacks they call BlueSnarfing that enabled them to stealthily duplicate the address book, call records, photos, and text messages from certain phone models.

The development is particularly disturbing, Laurie says, because phones are increasingly being used to store sensitive information such as passwords and PIN numbers.

In one demonstration they call BlueBugging, the two researchers forced a targeted phone to call a phone of their own. That transforms the victim's phone into a bugging device, at least until the victim realizes that the phone is connected to another one.

In addition, criminals might use BlueBugging to commit fraud, Laurie says. For example, an attacker could force victims' phones to dial a phone service that bills per call or per minute. You wouldn't know that you'd been ripped off until you got your phone bill--and then you'd have to convince your phone company that it wasn't you who called a psychic hotline 40 times.

Laurie, who is chief security officer and director of The Bunker Secure Hosting in southern England, says Bluetooth-enabled consumer electronics products complicate his job of protecting sensitive data. He notes that, because radio waves pass through walls, "you don't have to be visible to the person you're targeting."

Not all Bluetooth phones are susceptible to the attacks. The researchers haven't tested many different handsets, but the ones that they have checked out are among the most popular models, and Laurie estimates that 50 to 70 percent of Bluetooth phones are open to one or more BlueSnarfing attacks. Click here (for a complete list of vulnerable phone models.)

Nokia is reportedly working on a plan to fix the problem by updating the firmware in customers' phones, but it hasn't released details. Sony Ericsson spokesperson Peter Bodor says that customers can bring any of the company's at-risk handsets (the T610, T628, T630, and Z600 models share the same vulnerability) to any service center for a firmware update to fix the problem.

In the meantime, if you are not using your cell phone's Bluetooth feature, turn it off entirely. Not only will you protect your privacy, but you will prolong the phone's battery life, as well.

Andrew Brandt is a senior associate editor for PC World. You can send him e-mail at privacywatch@pcworld.com.