Security threats Toolkit

Story: Bluetooth needs long PINS for security

• 
• 

This article is damage control spin from the Bluetooth SIG. The solution offered does little to help.

``The SIG is also at pains to assure users that the hack is only an academic paper at present. "The equipment needed for this process is very expensive and primarily used by developers only," says its advice. "It is highly unlikely that a normal user would ever encounter such an attack."''

This is highly misleading. There are two aspects to the attack; cryptanalysing the pairing process, and forcing (and monitoring) a repairing. The equipment required for the cryptanalysis was nothing more than an ordinary desktop PC, nothing exotic at all. For forcing a repairing, you do indeed need a device which can be made to do Bluetooth abnormally at a low level. One way would be to use expensive development & testing devices, but is it the only way? I don't know, but Bluetooth crackers have had a lot of success in other attacks so far by either directly hacking Bluetooth chipsets or even buffer overrun attacks via laptop Bluetooth cards. Historically, the "this won't happen because the hardware is expensive" argument has been a path of folly.

``The SIG agrees with the researchers that a PC can crack a four digit code in a tenth of a second but reckons an eight digit PIN would take 100 years, "making this crack nearly impossible".''

First, Peter has misquoted the SIG representative here, because he actually said eight ALPHANUMERIC characters, not digits. Obviously, if the time to check a trial PIN is constant in this attack (which in fact it is), and a 4 digit PIN can be done in 63 milliseconds, then an 8 digit PIN will only take 10,000 x 63 milliseconds which is ten minutes. With alphanumeric passwords we are much better off but it only pushes out to 100 yrs if you use a totally random password of miXeD cAse alphanumerics plus at least 7 punctuation marks (a password like l*W7nYj ). Many Bluetooth devices won't even allow that sort of ``PIN'', and even on those that do it is a royal pain to enter mixed case random text and punctuation, even if you can remember it, so most people won't bother. Even then, the 100 years assumes your attacker only has 1 PC. The attack is easily parallelised, so if he has access to 1,200 PCs (e.g. a bot net, or at a University), it would only be 1 month.

If you give your device a straight alphanumeric 8 character PIN as suggested by the SIG (a password like KG7LBEA9 ), cracking will take not 100 years but about 200 days, divided by the number of PCs at the attacker's disposal. Adequate -- barely -- for personal privacy for a non-celebrity, still nothing like good enough if someone is going to throw a 1,000 host botnet at the problem, or hates you enough to wait 6 months for revenge.

And then they gloss over the fact that a whole bunch of Bluetooth devices have fixed 4 digit PINs which you cannot change, no matter what. Yes mister stock broker, that means that if you want to use that fancy wireless headset for your mobile calls, anyone within range could potentially be eavesdropping on your deals.

Fundamentally, the problem with Bluetooth is that they really didn't take security seriously. Bruce Schneier reported on this attitude a while ago, Bluetooth engineers feeling that security was unimportant because it would only be a short range protocol. (Oh, did I mention that crackers have successfully linked to a victim device at a range of over a mile?) Consequently, Bluetooth has been busted again and again. Here's my workaround, Bluetooth SIG: do not use Bluetooth for anything sensitive. If you're Joe Average, that probably means don't use a Bluetooth device to call your stockbroker or your mistress. If you ~are~ a stockbroker, or a celebrity, or a sysadmin, it means don't use Bluetooth at all.

• 
• 

• 
• 
• 

Full Talkback thread