Bluetooth happy to fill Microsoft's shoes

Will Bluetooth share the security reputation Microsoft has suffered from?

Microsoft's security image problem goes back a long way. At the moment, Microsoft has some good security procedures in place and has an apparently effective program for dealing with newly discovered vulnerabilities. It's definitely not perfect, but it is one of the better process-driven programs out there.

However, there will always be people who think what Microsoft does never will be good enough. And many remember Microsoft's arrogance and denial about security problems in the 1990s.

At the time, Microsoft was infamous for letting security vulnerabilities going unpatched. It also denied that the security vulnerabilities were actually problems to begin with. For example, one of the most clueless comments was about one of the first versions of L0phtCrack, a brute-force password cracking attack on the Microsoft LanMan password algorithm. A Microsoft spokesman stated something to the effect, "Don't they have anything better to do with their time than trying brute force attacks?" As Peiter "Mudge" Zatko basically replied, "That's what computers are for."

Again, Microsoft had the proverbial 'come to Jesus' talk, and has made drastic improvements from those days. However, it would appear that the world needs a zero-sum gain, so now we have the Bluetooth SIG.

Last month, I reported on an antenna that can target Bluetooth devices from more than a mile away. When a security magazine recently interviewed a Bluetooth Special Interest Group representative about the growing concern, he reiterated the Bluetooth standard line that devices might be vulnerable within the standard 10 meters. He also said that there will always be problems and that software updates will take care of everything. They just don't get it.

Let's first assume that estimate is correct, but have you thought of how many potential attackers can be within 10 meters of you? If you are sitting in a building, you are theoretically

Sound Off!
What do you think of the risks posed by Bluetooth? Share your thoughts!
vulnerable to attackers two floors above and below you. If you are in a bus or railroad car, everyone else on the bus or railroad car can attack you. There can be dozens of people within range of you as you walk down the street. As you sit in traffic, there can be 10 cars sitting within range. That is on top of the surreptitious devices that could be planted within range.

Looking further into the general statements of the Bluetooth spokesperson, you really have to consider how many people actually update the telephone's software. And, frankly, I am not even sure that there are updates easily available for the hardware drivers. Fundamentally, though, there are no updates available for the problem if it is possible to patch it.

The way I look at it, the Bluetooth SIG has two choices. It could either say nothing, or could just provide good, fundamental security information. If the group says nothing, at least it isn't perceived to be in denial or just fundamentally stupid, and the sheer majority of the general public will just continue to be happily ignorant.

If I were the spokesman, I would have stated that all technologies could experience vulnerabilities. As time goes on, technologies that are safe now, can be vulnerable to newly discovered attacks in the future. In the mean time, deactivate the Bluetooth functionality if you are not using it. If you are using the functionality, then make sure Bluetooth is not set in the discoverable mode.

Bluetooth SIG is comprised of people from some very aware security organizations. Unfortunately, they are exhibiting the same arrogance and denial that has put Microsoft in the doghouse for more than a decade. Sadly, we appear to have a zero-sum gain on our hands.

Dig deeper on Wireless Network Protocols and Standards

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close