06-29-2005, 04:30 PM
|
|
Magi
Join Date: Feb 2002
Posts: 2,386
|
|
Bluetooth SIG Concede Newly Discovered Bluetooth Security Hole
"The Bluetooth Special Interest Group has told people to set eight-digit PINs when pairing two devices and to take other precautions, after a report described a way for hackers to crack the security codes on Bluetooth devices and seize control of them. For security, Bluetooth devices will not communicate until they have 'paired'--a one-off process in which both devices must enter the same PIN, or personal identification number. A hacker that listens in on the pairing process can decode the PIN and then take control of the link, siphon off data or, potentially, take control of either of the devices."
So the advice of the Bluetooth SIG is to use an 8-character alphanumeric PINs and to only perform pairing in private. 4-digit codes can be cracked in 0.1 seconds but an eight-character PIN would take 100 years to crack according to the Bluetooth SIG. They go on to say that such breaches would be highly unlikely as the equipment required is very expensive. Hmmmm. Well my initial thoughts are that 100 years to crack an 8-character sounds like wishful thinking and the equipment required to do it probably isn't going to be too expensive for too long. On the other hand, such a security breach requires the thief to be at just the right place at just the right time and within a close proximity to you... and then be able to stay within a close proximity for a period of time that is long enough to pull any important information off of your device (remember the slow BT speeds). Additionally, they have to rely on you not doing anything to break the pairing... all the while you'd probably be sitting there wondering why your paired devices aren't working properly (and of course, doing nothing about it). Finally, my PPC and my laptop both prompt me for confirmation everytime a paired device tries to access a file (the file transfer profile is the only one that would worry me), so I'm not sure just how much risk I'm really at. Anyone see differently?
|
| |
|
|
|
06-29-2005, 05:24 PM
|
|
Thinker
Join Date: Aug 2006
Posts: 316
|
|
This attack really is frightening. The hostile party forces apart two paired devices by impersonating one and claiming that the pairing key has been lost. Then they eavesdrop on the repairing and use that information to crack the PIN. And even if it really does take 100 years to crack an eight-character alphanumeric PIN (ha! maybe on a 6800), many devices only allow numeric PINs. I suspect that even at eight digits, those could be cracked in less than a minute. Bluetooth's saving grace is that the (re-)pairing process remains manual; user education (pair in private!) is enough to defang such attacks. Thank SIG for that.
|
| |
|
|
|
06-29-2005, 05:49 PM
|
|
Theorist
Join Date: Sep 2005
Posts: 275
|
|
Well... just my take on the subject (I'm hoping I am reading the article right). If people are really concern about that loophole, just do your pairing at home and not on a public area. Pairing are done once between the two devices so when you are out there, you should be ok.
__________________
John Cruz
|
| |
|
|
|
06-29-2005, 06:57 PM
|
|
Intellectual
Join Date: Aug 2002
Posts: 171
|
|
Can't all files or folders in a BT transfer be set up in such a way that it takes an active event to release the files? Someone to actually push a button that says, "yes, you can send this file now." Instead of the "Do you accept this file?"
|
| |
|
|
|
06-29-2005, 07:04 PM
|
|
Server Shogun
Join Date: Jul 2002
Posts: 89
|
|
Re: Bluetooth SIG Concede Newly Discovered Bluetooth Security Hole
Quote:
|
Originally Posted by Ekkie Tepsupornchai
"The Bluetooth Special Interest Group has told people to set eight-digit PINs...
So the advice of the Bluetooth SIG is to use an 8-character alphanumeric PINs and to only perform pairing in private... 4-digit codes can be cracked in 0.1 seconds...
|
Don't forget the multitude of devices that have a SINGLE FIXED 4-digit pin: 0000. These take absolutely no time to crack whatsoever.
And if I recall the protocol correctly, one can inject bad packets into the datastream and force the devices to do a re-pairing on the fly. So pairing in "private" (I guess that means in your own personal faraday cage) isn't likely to be an improvement.
The real problem here is that people assume that Bluetooth has security.
-- Jorj
|
| |
|
|
|
06-29-2005, 10:16 PM
|
|
Mystic
Join Date: Aug 2006
Posts: 1,734
|
|
Well, if you are on the train and your headset conversation suddenly cuts out because lost your pairing, are you really not going to re-pair when the phone prompts you?
When you do, on your intercity train, some guy with a laptop could be running up premium rate phone calls on 5 phones at �1.50/minute.
�75 later he move on to another 5 phones, and a month later you get a big bill. Its not all about identity theft. There's real money to be made in them thar phones.
Surur
|
| |
|
|
|
06-29-2005, 10:58 PM
|
|
Theorist
Join Date: Sep 2005
Posts: 275
|
|
Quote:
|
Originally Posted by Surur
Well, if you are on the train and your headset conversation suddenly cuts out because lost your pairing, are you really not going to re-pair when the phone prompts you.
|
I'm not sure about your headphone but mine doesn't need another one if the phone and the headset loose connections. This is what I know though (correct me if I'm wrong).... once a device gets paired it adds that device's addresses to the trusted devices list. So if the headset is connecting to your phone, it recognize that unique address (looks like a MAC address) and figures that it doesn't need another pairing cause it's in the trusted list.
And yeah, when you go to a tunnel while riding a train, your phone & BT headset doesn't loose connection.... only your phone signal. ;-)
__________________
John Cruz
|
| |
|
|
|
06-29-2005, 11:01 PM
|
|
Theorist
Join Date: Sep 2005
Posts: 275
|
|
Re: Bluetooth SIG Concede Newly Discovered Bluetooth Security Hole
Quote:
|
Originally Posted by Jorj Bauer
Don't forget the multitude of devices that have a SINGLE FIXED 4-digit pin: 0000. These take absolutely no time to crack whatsoever.
|
Those devices that has a single fixed 4-digit pin (i.e. my iTech headset), only goes to pairing mode when you tell it to. I don't see how a malicious device could stablish a pairing session-request if it's not on that mode.
Granted, there are BT devices that has pairing always turned ON (like my BT access point... which is not working anymore). This are the cases where one has to be really really really careful.
Cheers!
__________________
John Cruz
|
| |
|
|
|
06-29-2005, 11:04 PM
|
|
Mystic
Join Date: Aug 2006
Posts: 1,734
|
|
You are misunderstanding. The hole in the specification is that a lost of pairing can be induced.
On my phone (A SE v800) I would hear a tone from my phone telling me it lost connection with the headset. When I browse the bluetooth settings to reconnect it will tell me to re-pair. This is were the hacker sniffs the password, and will be able to impersonate your headset, and therefore dial a number while you are reading your paper.
Surur
|
| |
|
|
|
06-29-2005, 11:44 PM
|
|
Theorist
Join Date: Sep 2005
Posts: 275
|
|
Quote:
|
Originally Posted by Surur
You are misunderstanding. The hole in the specification is that a lost of pairing can be induced.
|
Sorry Surur, but the article discusses re-pairing "with" re-authentication. The attacks mentioned forces your devices to get unpaired... in other words, to take your devices off the trusted list (I'm not sure if that is even possible... cause you cannot delete it from outside the device, or in other words, tell the other device to take you off the trusted pair list).
Anyway, that is why on the article, it says you have to re-enter your PIN again because the other device doesn't recognize it anymore. But if you just loose connection by, say, you turned OFF then ON your devices, that's a different case cause your devices won't ask for re-authentication.
I guess we are both lost in semantics here. There are 2 known use of the word "pairing/pair" in the bluetooth world. One is often used (as far as I know) in making each devices known to each other aka trusted, so the next time you do any other operations in between devices, you don't need to keep on sending another PIN or verifying that it's ok for the other devices to access it (OBEX file transfer doesn't seem to follow this rule). Another use for the word "pairing" is to reconnect devices when one is powered OFF before or something. I could have sworn 'pairing' mentioned in the article is the first one. Don't you agree? :wink:
Best regards,
__________________
John Cruz
|
| |
|
|
|
|
|
Linear Mode
