Bluesnarfing is a more overtly malicious attack in which an attacker reads information from a victim's Bluetooth device. The end goal is to glean sensitive data from the victim, like their contacts, calendars, email messages, text messages, and more.

Bluetooth uses the Object Exchange (OBEX) protocol to facilitate communication between two paired devices. To conduct a bluesnarfing attack, you must connect to a device's OBEX Push Profile (OPP), which usually does not require authentication. Then, you connect to an OBEX Push target and submit an OBEX GET request (similar to an HTTP GET request) for common file names that are defined as part of the Infrared Mobile Communications (IrMC) specification. For example, the name telecom/cal.vcs typically specifies the device's calendar, telecom/pb.vcs for the phone book, and telecom/devinfo.txt for information about the device. Devices with vulnerable implementations of OBEX enable you to obtain all files with a name you know or have correctly guessed.

Like with bluejacking, bluesnarfing is ineffective against devices that set Bluetooth in non-discoverable mode.

A Bluetooth bluesnarfing Utility.