Bluesnarfing is when a hacker accesses your phone through Bluetooth and takes information such as passwords and phone login codes. Most of the time, victims never know it happened. The act is similar to bluejacking, a better-known hack when someone sends unsolicited messages to a phone using Bluetooth or technology like Apple AirDrop.
Bluejacking is commonly used to prank users, but can sometimes involve phishing schemes. However, bluesnarfing is more ominous. In most cases, hackers access your phone and sell personally identifiable information (PII) on the dark web. But hackers can also access your email to send messages to friends and coworkers posing as you and asking for money, jump onto your social media to take or post information, or access your bank accounts.
Although not documented on a large scale, someone in Denver is doing this.
I was bluesnarfed three months ago while looking for an apartment. I'm a fairly fraud-aware person, and, after some cautious searching, found an apartment for $1600 in Park Hill on Craigslist. In this case, the price was a deal but not so low as to raise alarms, and the ad’s responder answered with clear, grammatically correct responses. So I set an appointment for a tour and visited the apartment.
But no one showed.
After standing around in the rain, I looked into the window of the building and saw a letter taped on the inside. The letterhead was from Real Property Management Colorado, the actual property management company of the address, telling visitors that they’d “NEVER initiate a conversation through Craigslist!"
I was scammed. But, having provided no personal information beyond my phone number and first name, I assumed I was safe. Twenty minutes later, my phone was in their hands, digitally speaking. They had hijacked my eSIM.
If bluesnarfers are able to steal your eSIM, you are in particular trouble. With an eSIM, these nefarious folk are essentially you on the internet, according to Antonio Wint, the founder and CEO of Syn Ack Fin Network & Computer Services in Cherry Creek.
"Your phone is your eSIM," says Wint.
Most of our SIM cards are now digital, making them easier to hack than the physical SIMs of older phones. Hackers are able to steal eSIMs through Bluetooth, reinstall eSIMs onto another device and hijack our phone numbers. All hackers need is for us to have our Bluetooth toggled on and to be nearby with the proper tech.
Once they take an eSIM, scammers can receive texts and have access to full Apple accounts, most emails and apps. Using a stolen password and username, they can receive the text verification to access any account using two-factor authentication.
According to Wint, I was lucky they took my eSIM. When a phone's eSIM is stolen, the phone will deactivate, so users often notice something's up. After a FindMy ping, my phone shut down because of the stolen eSIM. I knew I had been hacked, so I immediately started changing passwords and preventing most of my information from being stolen. However, most bluesnarf victims don't know the extent of the damage until their data comes up on the dark web, or worse.
You likely won’t get an alert on your phone after being bluesnarfed; the only indication may be unexpected Bluetooth activity or a higher battery drain, says Wint. Things that you might brush off and ignore.
Perhaps the creepiest part of bluesnarfing? The nefarious folk are very close to their victim.
According to Real Property Management Colorado, the warning letter I saw was inspired by a digital fraud scheme. Michelle Farrington, the company’s senior director of leasing, says most of the scams they come across involve fraudsters from other states or countries, who post faux ads and then message with potential leasers. These scammers will claim the management company is charging too much and they will rent directly to the person for less, and if the renter sends a deposit, the posing owner will send the key. When the key never arrives, the victim often calls the management company wondering where the key is.
"This happens enough that we wanted to protect people over the years," Farrington says. Real estate agencies have measures in place to prevent fraud, but it’s easy to quickly copy and paste or recreate an ad on Craigslist to catch unsuspecting people. Farrington says contacts for these cases are usually internet-based phone numbers.
But nefarious folk have to be nearby for bluesnarfing. A smartphone's Bluetooth range is around thirty feet, though it can function farther than that. During my fake apartment tour, the hackers didn't meet me at the building, but they were likely in a neighboring home or parked car nearby. (I’m picturing a windowless white van full of blinking tech equipment, but they could have been sitting in a tiny Geo Prism with a smartphone for all we know.)
"Bluesnarfing can technically be done with off-the-shelf hardware (like a laptop, smartphone, or Raspberry Pi) paired with specialized software tools that exploit Bluetooth vulnerabilities," Wint explains via email. "The key here is proximity. The attacker usually needs to be within ten meters (33 feet), although with high-powered antennas that range can be increased. So yes, it’s very portable, and that’s what makes it concerning."
"This is someone who knows what they are doing,” he adds.
My hackers had my name and phone number. They also likely received a ping from an Apple AirTag in my bag, naively named “Kristin’s Wallet,” which Wint confirms was the equivalent of waving a reg flag in a dark alley. But they likely didn’t need any of that to bluesnarf me, he adds.
It's more likely that scammers used my name and number to determine if I was worth the hacking effort. A simple Google search would have told them my full name and two previous addresses (which I learned when I searched for my phone number), and LinkedIn and the rest of the internet sphere would have showed them plenty about me.
All they needed was my Bluetooth to be on and initial proximity; they didn’t steal my data until twenty minutes after I had driven away.
The Denver Police Department is aware of the bluesnarfing, but says there are no reported cases in the city. But the lack of reports could be because most people don't know they are victims until weeks or months later. I knew immediately and still choose not to report mine. (I didn’t want the added headache of reporting it, but probably should have.)
Protecting Yourself From Bluesnarfing
The simplest way to protect yourself: turn off your phone's Bluetooth. If you're headed to a crowded space, like a concert or tailgate, and plan to play music, try to have a separate device for Bluetooth speakers. For tailgating at Denver Broncos games, Wint has an old phone he adds music to and plays on his Bluetooth speakers, leaving his phone's Bluetooth completely off. If you must use your Bluetooth, Wint says, "take educated risks." Running with headphones is likely safe because you're moving, but don't pair devices in public, ever, he warns. Pairing a new device in public puts your Bluetooth in "discovery mode," leaving it more vulnerable.
Wint suggests accepting your phone's operating system update alerts, too. Most updates include patches to repair an active safety issue. Without the update, "you could be immediately at risk," he says.
And don't name your AirTag things like "Kristin's Wallet," or anything close to your name, phone or any other obvious terms that would be tempting to target. Wint also suggests cleaning up your phone's data.
"Think of it as practicing good hygiene," he says of going through your Bluetooth and Wifi lists to get rid of old connections and reviewing passwords on a regular basis. And, speaking of passwords, don't rely on those anymore, says Wint.
Move Over, Passwords. Passphrases Are Here.
"Use passphrases," Wint says. "Passwords don't work anymore."Passphrases can be sentences that are recognizable and easy to remember. According to Wint, it's not the recognizability that adds protection, but the number of characters. "Passphrases are much more challenging for a tool to crack," he explains. "It takes a computer centuries to crack."
His example: "Welcome to McDonalds. Can I take your order please." The spaces and punctuation would be dashes or underscores, and you can add symbols or numbers for letters if required. The more characters, the better.
Wint also suggests using a password manager, but not your browser's, because if it's hacked, there is just too much information immediately accessible: "They know your life, even without accessing the passwords," he says. "Let your browser browse."
Another password-related safety measure comes in the form of multi-factor authentication (MFA). MFA apps and information will not transfer with a stole eSIM, so while nefarious folk can receive a text verification with a newly installed eSIM, they are less likely to get access to your MFA app. MFAs are difficult to hack, with high encryption levels and verifications that rely on both device, app and location.
But tech changes fast — every sixteen to eighteen months, according to Wint. So any advice given today may soon be obsolete. And AI technology is just going to speed up that timeline, he says.
"There is no silver bullet for any of this," he says, but the best approach is implementing a number of these safety measures.
If you find yourself bluesnarfed, immediately change your phone’s account password and turn it off. Disable your eSIM through your mobile carrier; this will shut down a hacker’s ability to hack your eSim on another device, and you can reinstall an eSIM on your phone later.
And of course, if you're going to use Craigslist, Facebook Marketplace, dating apps or other internet services for in-person meetups, tell your loved ones what you're up to — and then turn off your Bluetooth!
