Bluetooth 2.1 is easy to crack

By Neil Roiter, Senior Technology Editor 07 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Even the best protocols can be badly implemented; in Bluetooth it is the opposite. Unless you really know what you are doing, it's easy to get wrong. Andrew Lindell chief cryptographer, Aladdin Knowledge Systems

It's possible to use 2.1 securely, said Andrew Lindell, chief cryptographer for Aladdin Knowledge Systems Ltd., but the odds are stacked against it.

"Good protocol should be hard to get wrong and easy to get right," Lindell said Wednesday at the Black Hat briefings. "Even the best protocols can be badly implemented; in Bluetooth it is the opposite. Unless you really know what you are doing, it's easy to get wrong."

The problem is that the protocol is wide open if a fixed password is used, and secure if a one-time password (OTP) is employed, so it's useless to an attacker. The framers of version 2.1 intended it to use OTPs, but didn't require their use anywhere in the 1,400-page protocol document.

Lindell said that in Bluetooth 2.1, a fixed password can be stolen in less than a second using a man-in-the-middle attack, regardless of the length of the password. In 2.0, a long password could thwart the attacker.

Black Hat 2008: Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Researchers develop lightweight Cisco IOS rootkit Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack. Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.

An attacker doesn't need good fortune to be nearby when a user is pairing two devices. Bluetooth devices can be "tricked" into forcing a re-pairing. An alert user might think this is odd, but Lindell said, most people are used to odd or buggy behavior in their technology, and will simply shrug and re-pair.

Lindell described a second attack, in which an attacker can easily obtain the password of a lost or stolen Bluetooth device.

Although Bluetooth version 2.1 was released more than a year ago, there are almost no implementations. Even if manufacturers are aware of the undocumented OTP requirement, there are barriers to implementation.

Devices like hands-free car kits and Bluetooth mice have no user interface, for example. Even in other cases, manufacturers are likely to be reluctant to require customers to use OTPs as a matter of convenience.

The results could be a Bluetooth keyboard turned into a key logger or a Bluetooth car ear set turned into a listening device, a form of what is known as a "car whisperer."

"Or," joked Lindell, "An attacker could even talk to people over the earpiece and scare them."

Tags: Wireless Protocols and Standards,  Password Cracking,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us