Windows Phone Thoughts - Daily News, Views, Rants and Raves

Check out the hottest Windows Mobile devices at our Expansys store!


Digital Home Thoughts

Loading feed...

Laptop Thoughts

Loading feed...

Android Thoughts

Loading feed...




Go Back   Thoughts Media Forums > WINDOWS PHONE THOUGHTS > Windows Phone News

Reply
 
Thread Tools Display Modes
  #1  
Old 06-29-2005, 04:30 PM
Ekkie Tepsupornchai
Magi
Join Date: Feb 2002
Posts: 2,386
Default Bluetooth SIG Concede Newly Discovered Bluetooth Security Hole

<div class='os_post_top_link'><a href='http://www.engadget.com/entry/1234000550048520/' target='_blank'>http://www.engadget.com/entry/1234000550048520/</a><br /><br /></div><i>"The Bluetooth Special Interest Group has told people to set eight-digit PINs when pairing two devices and to take other precautions, after a report described a way for hackers to crack the security codes on Bluetooth devices and seize control of them. For security, Bluetooth devices will not communicate until they have 'paired'--a one-off process in which both devices must enter the same PIN, or personal identification number. A hacker that listens in on the pairing process can decode the PIN and then take control of the link, siphon off data or, potentially, take control of either of the devices."</i><br /><br />So the advice of the Bluetooth SIG is to use an 8-character alphanumeric PINs and to only perform pairing in private. 4-digit codes can be cracked in 0.1 seconds but an eight-character PIN would take 100 years to crack according to the Bluetooth SIG. They go on to say that such breaches would be highly unlikely as the equipment required is very expensive. Hmmmm. Well my initial thoughts are that 100 years to crack an 8-character sounds like wishful thinking and the equipment required to do it probably isn't going to be too expensive for too long. On the other hand, such a security breach requires the thief to be at just the right place at just the right time and within a close proximity to you... and then be able to stay within a close proximity for a period of time that is long enough to pull any important information off of your device (remember the slow BT speeds). Additionally, they have to rely on you not doing anything to break the pairing... all the while you'd probably be sitting there wondering why your paired devices aren't working properly (and of course, doing nothing about it). Finally, my PPC and my laptop both prompt me for confirmation everytime a paired device tries to access a file (the file transfer profile is the only one that would worry me), so I'm not sure just how much risk I'm really at. Anyone see differently?
 
Reply With Quote
  #2  
Old 06-29-2005, 05:24 PM
gibson042
Thinker
gibson042's Avatar
Join Date: Aug 2006
Posts: 316

This attack really is frightening. The hostile party forces apart two paired devices by impersonating one and claiming that the pairing key has been lost. Then they eavesdrop on the repairing and use that information to crack the PIN. And even if it really does take 100 years to crack an eight-character alphanumeric PIN (ha! maybe on a 6800), many devices only allow numeric PINs. I suspect that even at eight digits, those could be cracked in less than a minute. Bluetooth's saving grace is that the (re-)pairing process remains manual; user education (pair in private!) is enough to defang such attacks. Thank SIG for that.
 
Reply With Quote
  #3  
Old 06-29-2005, 05:49 PM
johncruise
Theorist
Join Date: Sep 2005
Posts: 275
Send a message via MSN to johncruise

Well... just my take on the subject (I'm hoping I am reading the article right). If people are really concern about that loophole, just do your pairing at home and not on a public area. Pairing are done once between the two devices so when you are out there, you should be ok.
__________________
John Cruz
 
Reply With Quote
  #4  
Old 06-29-2005, 06:57 PM
bkerrins
Intellectual
Join Date: Aug 2002
Posts: 171

Can't all files or folders in a BT transfer be set up in such a way that it takes an active event to release the files? Someone to actually push a button that says, "yes, you can send this file now." Instead of the "Do you accept this file?"
 
Reply With Quote
  #5  
Old 06-29-2005, 07:04 PM
Jorj Bauer
Server Shogun
Join Date: Jul 2002
Posts: 89
Default Re: Bluetooth SIG Concede Newly Discovered Bluetooth Security Hole

Quote:
Originally Posted by Ekkie Tepsupornchai
"The Bluetooth Special Interest Group has told people to set eight-digit PINs...

So the advice of the Bluetooth SIG is to use an 8-character alphanumeric PINs and to only perform pairing in private... 4-digit codes can be cracked in 0.1 seconds...
Don't forget the multitude of devices that have a SINGLE FIXED 4-digit pin: 0000. These take absolutely no time to crack whatsoever.

And if I recall the protocol correctly, one can inject bad packets into the datastream and force the devices to do a re-pairing on the fly. So pairing in "private" (I guess that means in your own personal faraday cage) isn't likely to be an improvement.

The real problem here is that people assume that Bluetooth has security.

-- Jorj
__________________
-- Jorj Bauer
[DejaVu Software, Inc.]
[PhotoBlog]
 
Reply With Quote
  #6  
Old 06-29-2005, 10:16 PM
surur
Mystic
Join Date: Aug 2006
Posts: 1,734

Well, if you are on the train and your headset conversation suddenly cuts out because lost your pairing, are you really not going to re-pair when the phone prompts you?

When you do, on your intercity train, some guy with a laptop could be running up premium rate phone calls on 5 phones at 1.50/minute.

75 later he move on to another 5 phones, and a month later you get a big bill. Its not all about identity theft. There's real money to be made in them thar phones.

Surur
__________________
Windows Mobile Power User
 
Reply With Quote
  #7  
Old 06-29-2005, 10:58 PM
johncruise
Theorist
Join Date: Sep 2005
Posts: 275
Send a message via MSN to johncruise

Quote:
Originally Posted by Surur
Well, if you are on the train and your headset conversation suddenly cuts out because lost your pairing, are you really not going to re-pair when the phone prompts you.
I'm not sure about your headphone but mine doesn't need another one if the phone and the headset loose connections. This is what I know though (correct me if I'm wrong).... once a device gets paired it adds that device's addresses to the trusted devices list. So if the headset is connecting to your phone, it recognize that unique address (looks like a MAC address) and figures that it doesn't need another pairing cause it's in the trusted list.

And yeah, when you go to a tunnel while riding a train, your phone &amp; BT headset doesn't loose connection.... only your phone signal. ;-)
__________________
John Cruz
 
Reply With Quote
  #8  
Old 06-29-2005, 11:01 PM
johncruise
Theorist
Join Date: Sep 2005
Posts: 275
Send a message via MSN to johncruise
Default Re: Bluetooth SIG Concede Newly Discovered Bluetooth Security Hole

Quote:
Originally Posted by Jorj Bauer
Don't forget the multitude of devices that have a SINGLE FIXED 4-digit pin: 0000. These take absolutely no time to crack whatsoever.
Those devices that has a single fixed 4-digit pin (i.e. my iTech headset), only goes to pairing mode when you tell it to. I don't see how a malicious device could stablish a pairing session-request if it's not on that mode.

Granted, there are BT devices that has pairing always turned ON (like my BT access point... which is not working anymore). This are the cases where one has to be really really really careful.

Cheers!
__________________
John Cruz
 
Reply With Quote
  #9  
Old 06-29-2005, 11:04 PM
surur
Mystic
Join Date: Aug 2006
Posts: 1,734

You are misunderstanding. The hole in the specification is that a lost of pairing can be induced.

On my phone (A SE v800) I would hear a tone from my phone telling me it lost connection with the headset. When I browse the bluetooth settings to reconnect it will tell me to re-pair. This is were the hacker sniffs the password, and will be able to impersonate your headset, and therefore dial a number while you are reading your paper.

Surur
__________________
Windows Mobile Power User
 
Reply With Quote
  #10  
Old 06-29-2005, 11:44 PM
johncruise
Theorist
Join Date: Sep 2005
Posts: 275
Send a message via MSN to johncruise

Quote:
Originally Posted by Surur
You are misunderstanding. The hole in the specification is that a lost of pairing can be induced.
Sorry Surur, but the article discusses re-pairing "with" re-authentication. The attacks mentioned forces your devices to get unpaired... in other words, to take your devices off the trusted list (I'm not sure if that is even possible... cause you cannot delete it from outside the device, or in other words, tell the other device to take you off the trusted pair list).

Anyway, that is why on the article, it says you have to re-enter your PIN again because the other device doesn't recognize it anymore. But if you just loose connection by, say, you turned OFF then ON your devices, that's a different case cause your devices won't ask for re-authentication.

I guess we are both lost in semantics here. There are 2 known use of the word "pairing/pair" in the bluetooth world. One is often used (as far as I know) in making each devices known to each other aka trusted, so the next time you do any other operations in between devices, you don't need to keep on sending another PIN or verifying that it's ok for the other devices to access it (OBEX file transfer doesn't seem to follow this rule). Another use for the word "pairing" is to reconnect devices when one is powered OFF before or something. I could have sworn 'pairing' mentioned in the article is the first one. Don't you agree? :wink:

Best regards,
__________________
John Cruz
 
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 08:03 AM.