Wednesday, June 29, 2005
Bluetooth SIG Concede Newly Discovered Bluetooth Security Hole
Posted by Ekkie Tepsupornchai in "NEWS" @ 08:30 AM
"The Bluetooth Special Interest Group has told people to set eight-digit PINs when pairing two devices and to take other precautions, after a report described a way for hackers to crack the security codes on Bluetooth devices and seize control of them. For security, Bluetooth devices will not communicate until they have 'paired'--a one-off process in which both devices must enter the same PIN, or personal identification number. A hacker that listens in on the pairing process can decode the PIN and then take control of the link, siphon off data or, potentially, take control of either of the devices."
So the advice of the Bluetooth SIG is to use an 8-character alphanumeric PINs and to only perform pairing in private. 4-digit codes can be cracked in 0.1 seconds but an eight-character PIN would take 100 years to crack according to the Bluetooth SIG. They go on to say that such breaches would be highly unlikely as the equipment required is very expensive. Hmmmm. Well my initial thoughts are that 100 years to crack an 8-character sounds like wishful thinking and the equipment required to do it probably isn't going to be too expensive for too long. On the other hand, such a security breach requires the thief to be at just the right place at just the right time and within a close proximity to you... and then be able to stay within a close proximity for a period of time that is long enough to pull any important information off of your device (remember the slow BT speeds). Additionally, they have to rely on you not doing anything to break the pairing... all the while you'd probably be sitting there wondering why your paired devices aren't working properly (and of course, doing nothing about it). Finally, my PPC and my laptop both prompt me for confirmation everytime a paired device tries to access a file (the file transfer profile is the only one that would worry me), so I'm not sure just how much risk I'm really at. Anyone see differently?
So the advice of the Bluetooth SIG is to use an 8-character alphanumeric PINs and to only perform pairing in private. 4-digit codes can be cracked in 0.1 seconds but an eight-character PIN would take 100 years to crack according to the Bluetooth SIG. They go on to say that such breaches would be highly unlikely as the equipment required is very expensive. Hmmmm. Well my initial thoughts are that 100 years to crack an 8-character sounds like wishful thinking and the equipment required to do it probably isn't going to be too expensive for too long. On the other hand, such a security breach requires the thief to be at just the right place at just the right time and within a close proximity to you... and then be able to stay within a close proximity for a period of time that is long enough to pull any important information off of your device (remember the slow BT speeds). Additionally, they have to rely on you not doing anything to break the pairing... all the while you'd probably be sitting there wondering why your paired devices aren't working properly (and of course, doing nothing about it). Finally, my PPC and my laptop both prompt me for confirmation everytime a paired device tries to access a file (the file transfer profile is the only one that would worry me), so I'm not sure just how much risk I'm really at. Anyone see differently?
