And so we have reached the most strictly legal part of my discovery of Bluetooth Technology and the risks faced by the devices equipped with it.
Once the device’s operation has been explained, the protocols it relies on, and after examining the real-world dangers that a person using such a wireless connection system faces, the next step is to try to prove the thesis that a smartphone, a PDA, a laptop, and even a BT headset can certainly be classified as an information system and must therefore be subject to the rules on unauthorized access to an information system, in particular to art. 615 ter of our Criminal Code. Once this is demonstrated, the second objective will be to classify any harmful actions or attacks against these devices (from simple Toothing now practiced even by technology novices, to Snarf and Backdoor attacks carried out by self-taught crackers with the help of easily accessible information on the internet). The first point to analyze is therefore the configurability of Bluetooth devices as Information Systems, and their subjection to the regulations introduced by Law 23 December 1993 no. 547 with the insertion of art. 615 ter into our Criminal Code concerning unauthorized access to an information or telematic system, as well as the rules governing any break-ins committed after unauthorized access. The relevant law states, “Whoever unlawfully enters an information or telematic system protected by security measures or remains there against the expressed or tacit will of those entitled to exclude them, is punishable with imprisonment up to 3 years.” But can a device using Bluetooth technology be considered an information system? Certainly yes! Indeed, it has long been established opinion that an information system is not only a possible Personal Computer or a database, but “any plurality of equipment intended to perform any useful function for humans through the use, even partially, of information technology.” In this regard, one may consult the Supreme Court ruling no. 3067 of 1999, which in the specific case considered even an ordinary telephone switchboard as an information system. Having resolved the first doubt regarding the applicability of art. 615 ter to devices equipped with Bluetooth technology, we must now analyze whether the actions and attacks described in the previous technical section may be configured as crimes. Starting with simple Toothing, which we saw is the sending of a Business Card (or visiting card) from one smartphone to another via Bluetooth connectivity, it is almost certainly not configured as the crime of unauthorized computer access, because through this practice there is no access to the other’s device: indeed, only the 248 possible characters (the visiting card itself) reach their destination, without actual access to the other’s information system, and therefore without the possibility to manipulate, steal, or modify the data contained in the recipient’s phone. Naturally, caution is advised, because, as we saw with advanced Bluejacking, even this simple exchange of visiting cards could be a method to convince the victim to consent to a “trusted” connection and thereby to a subsequent unauthorized access. As for the Bluesnarfing and Phone Backdoor techniques, we have seen that they allow the attacker unconditional access within the victim’s device, through the pairing protocol and the establishment of a “trusted” connection that allows the cracker not only to penetrate the system but also to have full control over the data contained therein. One might perhaps object (on behalf of a hypothetical attacker’s defense) the absence of security measures designed to protect the information system from these intrusions. Regarding this, the following considerations certainly apply: First of all, “sniffing” techniques and “bruteforce” attacks, such as those realized by the software I easily found on the WEB, are certainly aimed at overcoming or circumventing these security measures (passwords and PINs). Secondly, it is now a firmly established opinion in case law that “the violation of security devices does not have relevance in itself, but as manifestation of an opposing will of a subject,” as stated by the Supreme Court in ruling no. 12,732 of 2000, which also added regarding unauthorized access to an information system that “the offense is the contravention of the owner’s provisions, as happens in the case of breaking and entering.” As for the owner’s will, the law itself specifies that it need not be explicit but may be tacit. And there is no doubt about the tacit will of anyone possessing a Bluetooth device that no one should violate the so-called “information domicile” without prior permission. Finally, regarding the purpose of a hypothetical unauthorized access to a device equipped with Bluetooth, we have seen that an attack by a cracker can give him not only all the data present on the smartphone but also the possibility to use the phone as a zombie to surf, call, or clone other devices via the IMEI code, all at the victim’s expense. Therefore, if the actions following unauthorized computer access violate other provisions of the law contained in our Civil Code, nothing prevents these rules from combining with the violation of art. 615 ter in the commission of the crime, and the unauthorized access constituting a constituent element of a more serious crime.
Pubblicato in Digital Tools
Be the first to comment