Under Bluetooth’s security specification, before two devices will communicate, a matching code number must be entered into both devices. However, Magnus Nystrom, technical Director of RSA Security, told ZDNet that many Bluetooth-enabled devices allow access without demanding a “pairing” code.
The vulnerability could be used to steal phone numbers from a victim’s contacts list and to make calls which are charged to the victim’s account and which use the victim’s identity.