Threat Category: Network Threats: Bluetooth
Threat Description: The Bluetooth specification supports the transfer of certain object types defined in the OBEX protocol, namedly vCard (contacts), vCal (calendar events) and vNote (text). OBEX does not require authentication, and messages can be sent to Bluetooth-enabled devices without any prerequisite pairing or authentication. While unsolicited messages are not directly harmful to the device, they may facilitate social engineering attacks if a recipient accepts crafted contact or calendar information sent by an attacker.
Guide to Bluetooth Security: Draft NIST SP 800-121rev2 1
To reduce opportunity for this attack, disable Bluetooth when that feature is not in use.
Do not accept data transfers, such as contact cards, transmitted over Bluetooth without confidence the message is legitimate.
J. Padgette et. al, Guide to Bluetooth Security, Draft SP 800-121 rev. 2, National Institute of Standards and Technology, 2016; http://csrc.nist.gov/publications/drafts/800-121/sp800_121_r2_draft.pdf [accessed 12/07/2016] ↩