Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Good Is BlueTooth's Security?

Posted by timothy on from the close-enough dept.

maliabu writes "If (not when) BlueTooth becomes really popular or populated in all the personal devices, will we start experiencing another wave of frauds similar to the current credit card strip-reading, or ATM machine shoulder-spying incidents? In this article about BlueTooth Security, the author asks 'but is Bluetooth secure enough for larger ad hoc networks, money transfers and transferring other sensitive information?' Even when the security standard becomes higher in BlueTooth, will the end users become victims of themselves by neglecting simple security rules, similar to not covering the keypad when entering your pin number? Remember personal devices such as mobile phone, heartrate sensor, blood-pressure alarm, vision-correction lenses etc, are more 'forgettable' than laptops/computers on WiFi. And the chances of strangers getting close enough to it is also higher, such as in the train, bus, cinema etc."

13 comments

  1. protocol. by lburdet · · Score: 0, Redundant

    it's all about protocol.

  2. Uh... Yes? by Anonymous Coward · · Score: 4, Interesting

    Timothy asks:
    'will the end users become victims of themselves by neglecting simple security rules, similar to not covering the keypad when entering your pin number?'

    I think that we all know the answer to that one...

    As a matter of fact, the whole gist of this paper seems to point less to overt flaws in bt's implementation and more to simple user error/laziness.
    A good read, though.

    slomotion

  3. Security isn't important... by HaloZero · · Score: 2, Funny

    ...when you're dead.

    To be honest, I never found much use for BlueTooth. The idea is nice, but... we're not ready for it, yet. And I've found other solutions which fit the bill better than BlueTooth.

    --
    Informatus Technologicus
    1. Re:Security isn't important... by BrokenHalo · · Score: 1
      To be honest, I never found much use for BlueTooth

      Nor have I - though I know my mobile phone (Ericsson) supports it. I'm probably being a bit conservative, but I haven't been burned yet by trusting dubious technology. (The corollary to that is that I have been burned by trusting flesh-and-blood people. I think I've lost my money with these guys quite recently.)

    2. Re:Security isn't important... by lukew · · Score: 1

      I use a Bluetooth mouse, and with regards to mobile phone - it beats the shit out of IR.

      I think the big issue with acceptance of bluetooth is peoples misguided understanding of it's uses. It's not another 802.11x, it's short area wireless. "Personal Area Network" as I've heard it refered to.

      I think this is brilliant for these types of uses especially without the worry that someones on the street outside trying to hack into your bluetooth equipment.

  4. Bluetooth is..... by ^avenger · · Score: 1

    wireless USB or you already know that ?

    So, whatever encryption that can be used for USB can also be used for Bluetooth. Correct me if I am wrong.

  5. Personal Identification Number number eh? by DrSkwid · · Score: 0, Offtopic

    I must get one of those

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    1. Re:Personal Identification Number number eh? by maliabu · · Score: 1

      actually it's Personal Identification Numerical (PIN) Number, just in case people accidentally enter * or #.

  6. Of course ... by zangdesign · · Score: 1

    If there's any possibility of a security hole, someone is going to try and take advantage of it.

    And probably will succeed.

    And probably get their wrist slapped.

    --
    To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
  7. Analysis a bit weak by OpenMind(tm) · · Score: 5, Interesting

    It really seems like the author decided what he wanted to conclude before he started his study. His conclusions are mostly fluff. Sure the out of band PIN exchange is a bit clunky, but this isn't really a vulnerability. Nothing seamless is going to happen without some sort of certificate authority. Anything else is going to require authentication off the wire.

    Battery draining denial of service scheme? Seems like this will be an issue for any limited power mobile device that is listening for connections. As for no defense against it, leaving your device "undiscoverable" and only talking to trusted devices is a good start.

    The mention of a divide-and-conquer attack that cannot in fact be used probably doesn't belong in the conclusions.

    PINs are, I believe, alphanumeric in most user interfaces, giving us more like 1.7 million keys for a four-digit key length. Still not that great a key space, but that's why you're allowed 16 octets.

    It seems like the remainder of the conculsions make the assumption of bad application-level choices of keys and key types. I will acknowledge that this can derail pretty much any encryption scheme.

    Personally, I sort of wonder why more standard algorithms were not used, such as RC*, Diffie-Hellman, etc. Also, this seems like it could really use a certificate of PGP-like "web of trust" to support it.

    1. Re:Analysis a bit weak by beaufour · · Score: 1
      I agree. The weaknesses mentioned are not Bluetooth-specific. If you use the 16 octets for the PIN, there is nothing wrong with the security, and building a Diffie-Hellman exchange on the application level to obtain the PIN automatically should not pose a problem.

      There are some security issues in the E0 algorithms, but the efecive key length is still around 73-84 bits which is more than enough (article here).