Bluetooth 2.1 is easy to crack

By Neil Roiter, Senior Technology Editor 07 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Even the best protocols can be badly implemented; in Bluetooth it is the opposite. Unless you really know what you are doing, it's easy to get wrong. Andrew Lindell chief cryptographer, Aladdin Knowledge Systems

It's possible to use 2.1 securely, said Andrew Lindell, chief cryptographer for Aladdin Knowledge Systems Ltd., but the odds are stacked against it.

"Good protocol should be hard to get wrong and easy to get right," Lindell said Wednesday at the Black Hat briefings. "Even the best protocols can be badly implemented; in Bluetooth it is the opposite. Unless you really know what you are doing, it's easy to get wrong."

The problem is that the protocol is wide open if a fixed password is used, and secure if a one-time password (OTP) is employed, so it's useless to an attacker. The framers of version 2.1 intended it to use OTPs, but didn't require their use anywhere in the 1,400-page protocol document.

Lindell said that in Bluetooth 2.1, a fixed password can be stolen in less than a second using a man-in-the-middle attack, regardless of the length of the password. In 2.0, a long password could thwart the attacker.

Black Hat 2008: Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Researchers develop lightweight Cisco IOS rootkit Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack. Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.

An attacker doesn't need good fortune to be nearby when a user is pairing two devices. Bluetooth devices can be "tricked" into forcing a re-pairing. An alert user might think this is odd, but Lindell said, most people are used to odd or buggy behavior in their technology, and will simply shrug and re-pair.

Lindell described a second attack, in which an attacker can easily obtain the password of a lost or stolen Bluetooth device.

Although Bluetooth version 2.1 was released more than a year ago, there are almost no implementations. Even if manufacturers are aware of the undocumented OTP requirement, there are barriers to implementation.

Devices like hands-free car kits and Bluetooth mice have no user interface, for example. Even in other cases, manufacturers are likely to be reluctant to require customers to use OTPs as a matter of convenience.

The results could be a Bluetooth keyboard turned into a key logger or a Bluetooth car ear set turned into a listening device, a form of what is known as a "car whisperer."

"Or," joked Lindell, "An attacker could even talk to people over the earpiece and scare them."

Tags: Wireless Network Protocols and Standards,  Password Management and Policy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless Network Protocols and Standards GSM cell phone encryption crack may force operators to upgrade Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Password Management and Policy Torrent phishing scheme trips up Twitter users Microsoft, security firms warn of password meltdown How to find and remove keyloggers and prevent spyware installation How to encrypt passwords using network security certificates Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats How to determine password strength for a website Prevent password cracking with password management strategies Brute force attacks target Yahoo email accounts Best Identity and Access Management Products

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary