Bluetooth, the wireless connection used on PDAs and phones, is not safe unless you use an eight-digit PIN number to secure devices, users have been warning.
The Bluetooth Special Interest Group has told users to set eight-digit PINs when pairing two devices, and take other precautions, after a report described a way for hackers to crack the security codes on Bluetooth devices and seize control of them.
For security, Bluetooth devices will not communicate until they have 'paired' -- a one-off process in which both devices must enter the same PIN number. A hacker that listens in on the pairing process can decode the PIN, and then take control of the link, siphon off data or, potentially, take control of either of the devices.
Because Bluetooth has a short range, and pairing is a one-off process between any two devices, most users were considered safe -- until a fiendish extension of the attack was described this month by Yaniv Shaked and Avishai Wool of Tel Aviv University in Israel.
The new attack can force two Bluetooth devices to come 'un-paired'. When the user pairs them again, the hacker can listen to the pairing process and crack the PIN, warn the researchers.
The simplest way to force Bluetooth devices to re-pair is to send a message that purports to come from one of them, claiming to have lost the key. Three ways to force re-pairing are described in "Cracking the Bluetooth PIN", presented by Avishai Wool and Yaniv Shaked of Tel Aviv University, at the Mobisys conference in Seattle.
The Bluetooth SIG’s advice echoes that of Wool and Shaked -- don’t re-pair in a public place, where someone else might eavesdrop, and use a longer PIN.
"When you pair devices for the first time, do this in private -- at home or in the office," advises the SIG. "If your devices become unpaired while you are in public, wait until you are in a private, secure location before repairing your devices, if possible."
"Always use an eight character alphanumeric PIN code as the minimum," says the SIG. "You only have to enter this once, so [a longer code] is not a hardship given the security benefits."
The SIG agrees with the researchers that a PC can crack a four digit code in a tenth of a second but reckons an eight digit PIN would take 100 years, "making this crack nearly impossible". Some devices, such as headsets, include a factory-set four-digit PIN, but most devices like phones allow users to set the PIN they want.
The SIG is also at pains to assure users that the hack is only an academic paper at present. "The equipment needed for this process is very expensive and primarily used by developers only," says its advice. "It is highly unlikely that a normal user would ever encounter such an attack."
As ever, knowledge is important. "The attack also relies on a degree of user gullibility, so understanding the Bluetooth pairing process is an important defence," said the SIG.
Talkback
Do I need to plug in my mouse USB cable in private also? In the future people will ask you to forgive him a while since he needs to use the bathroom to re-pair his mobile with headset! What a wonderful world!
This article is damage control spin from the Bluetooth SIG. The solution offered does little to help.
``The SIG is also at pains to assure users that the hack is only an academic paper at present. "The equipment needed for this process is very expensive and primarily used by developers only," says its advice. "It is highly unlikely that a normal user would ever encounter such an attack."''
This is highly misleading. There are two aspects to the attack; cryptanalysing the pairing process, and forcing (and monitoring) a repairing. The equipment required for the cryptanalysis was nothing more than an ordinary desktop PC, nothing exotic at all. For forcing a repairing, you do indeed need a device which can be made to do Bluetooth abnormally at a low level. One way would be to use expensive development & testing devices, but is it the only way? I don't know, but Bluetooth crackers have had a lot of success in other attacks so far by either directly hacking Bluetooth chipsets or even buffer overrun attacks via laptop Bluetooth cards. Historically, the "this won't happen because the hardware is expensive" argument has been a path of folly.
``The SIG agrees with the researchers that a PC can crack a four digit code in a tenth of a second but reckons an eight digit PIN would take 100 years, "making this crack nearly impossible".''
First, Peter has misquoted the SIG representative here, because he actually said eight ALPHANUMERIC characters, not digits. Obviously, if the time to check a trial PIN is constant in this attack (which in fact it is), and a 4 digit PIN can be done in 63 milliseconds, then an 8 digit PIN will only take 10,000 x 63 milliseconds which is ten minutes. With alphanumeric passwords we are much better off but it only pushes out to 100 yrs if you use a totally random password of miXeD cAse alphanumerics plus at least 7 punctuation marks (a password like l*W7nYj ). Many Bluetooth devices won't even allow that sort of ``PIN'', and even on those that do it is a royal pain to enter mixed case random text and punctuation, even if you can remember it, so most people won't bother. Even then, the 100 years assumes your attacker only has 1 PC. The attack is easily parallelised, so if he has access to 1,200 PCs (e.g. a bot net, or at a University), it would only be 1 month.
If you give your device a straight alphanumeric 8 character PIN as suggested by the SIG (a password like KG7LBEA9 ), cracking will take not 100 years but about 200 days, divided by the number of PCs at the attacker's disposal. Adequate -- barely -- for personal privacy for a non-celebrity, still nothing like good enough if someone is going to throw a 1,000 host botnet at the problem, or hates you enough to wait 6 months for revenge.
And then they gloss over the fact that a whole bunch of Bluetooth devices have fixed 4 digit PINs which you cannot change, no matter what. Yes mister stock broker, that means that if you want to use that fancy wireless headset for your mobile calls, anyone within range could potentially be eavesdropping on your deals.
Fundamentally, the problem with Bluetooth is that they really didn't take security seriously. Bruce Schneier reported on this attitude a while ago, Bluetooth engineers feeling that security was unimportant because it would only be a short range protocol. (Oh, did I mention that crackers have successfully linked to a victim device at a range of over a mile?) Consequently, Bluetooth has been busted again and again. Here's my workaround, Bluetooth SIG: do not use Bluetooth for anything sensitive. If you're Joe Average, that probably means don't use a Bluetooth device to call your stockbroker or your mistress. If you ~are~ a stockbroker, or a celebrity, or a sysadmin, it means don't use Bluetooth at all.