Mobile Threat Catalogue



Threat Category: Network Threats: Bluetooth

ID: LPN-14

Threat Description: The Bluetooth specification supports the transfer of certain object types defined in the OBEX protocol, namedly vCard (contacts), vCal (calendar events) and vNote (text). OBEX does not require authentication, and messages can be sent to Bluetooth-enabled devices without any prerequisite pairing or authentication. While unsolicited messages are not directly harmful to the device, they may facilitate social engineering attacks if a recipient accepts crafted contact or calendar information sent by an attacker.

Threat Origin

Guide to Bluetooth Security: Draft NIST SP 800-121rev2 1

Exploit Examples

Not Applicable

CVE Examples

Not Applicable

Possible Countermeasures

Mobile Device User

To reduce opportunity for this attack, disable Bluetooth when that feature is not in use.

Do not accept data transfers, such as contact cards, transmitted over Bluetooth without confidence the message is legitimate.


  1. J. Padgette et. al, Guide to Bluetooth Security, Draft SP 800-121 rev. 2, National Institute of Standards and Technology, 2016; [accessed 12/07/2016]