06-12-2006, 10:00 PM
|
|
Magi
Join Date: Feb 2002
Posts: 2,386
|
|
InfoWorld: 'BlueBag' PC Sniffs out Bluetooth Flaws
"If you happened to fly through Milan's Malpensa Airport last March, your mobile phone may have been scanned by the BlueBag. Billed as a research lab on wheels, BlueBag was created by Milan's Secure Network SRL to study how malicious software might be able to spread among devices that use the Bluetooth wireless standard.... In just under 23 hours of travel, BlueBag was able to spot more [than] 1,400 devices with which, in theory, it could have connected. Among the discoverable devices were a number of Nokia Corp.'s mobile phones and TomTom International BV's Go global positioning systems..."
I guess the term "Bluetooth Security" is becoming more and more of an oxymoron with each passing month. Nokia and TomTom were specifically called out because both manufacterers like to make their devices visible / discoverable other BT devices by default, exposing those devices to uneccessary risk. Give it a read... and make sure you BT enabled devices (especially your phone) are not discoverable unless manually invoked to be so!
|
| |
|
|
|
06-12-2006, 10:52 PM
|
|
Pontificator
Join Date: Aug 2006
Posts: 1,202
|
|
The one thing I've always wondered about is how someone actually connects to the discovered device. I could be wrong, but it seems to me whenever I have a phone, PPC, etc, that is in discovery mode, I have to actually allow each specific new device to connect. My devices always ask if it's okay to connect and also for a passcode.
I guess GPS may be different, but really if someone wants to temporarily connect to your GPS device, can they really harm anything? It's not like your GPS includes a lot of vulnerable personal information, does it?
I'm just wondering if this is really as big of a problem as it's advertised to be?
|
| |
|
|
|
06-13-2006, 06:27 PM
|
|
Intellectual
Join Date: May 2006
Posts: 251
|
|
I wonder how devices get bt certification when they have stupid defaults.
Regardless, the security risk is REALLY low here. You're probably at more risk from losing or having the device stolen at an airport.
m.
|
| |
|
|
|
06-15-2006, 11:10 PM
|
|
Ponderer
Join Date: May 2006
Posts: 86
|
|
This is the same issue as all of the WiFi products out there that have no security on by default. And those arguably could be more dangerous. Why does it always take a "sky is falling" approach to get vendors and consumers to wise up about this stuff?
|
| |
|
|
|
06-17-2006, 07:29 AM
|
|
Pontificator
Join Date: Mar 2007
Posts: 1,466
|
|
Quote:
http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/
Abstract:
This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the pairing process. We then describe the cracking speed we can achieve through three optimizations methods. Our fastest optimization employs an algebraic representation of a central cryptographic primitive (SAFER+) used in Bluetooth. Our results show that a 4-digit PIN can be cracked in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.
.................
5 The Re-Pairing attack
5.1 Background and motivation
This section describes an additional attack on Bluetooth devices that is useful when used in conjunction with the primary attack described in Section 3. Recall that the primary attack is only applicable if the attacker has eavesdropped on the entire process of pairing and authentication. This is a major limitation since the pairing process is rarely repeated. Once the link key Kab is created, each Bluetooth device stores it for possible future communication with the peer device. If at a later point in time the device initiates communication with the same peer - the stored link key is used and the pairing process is skipped. Our second attack exploits the connection establishment protocol to force the communicating devices to repeat the pairing process. This allows the attacker to record all the messages and crack the PIN using the primary attack described in this paper.
|
By cracking even your GPS, they would have the ability to deceive your device into re-establishing a pairing. Of course your PPC/PC is going to understand why your gps unit suddenly developed obex capabilities.
|
| |
|
|
|
|
|
|
Linear Mode
