Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Way To Crack Secure Bluetooth Devices

Posted by Zonk on from the mind-what-you-say dept.

moon_monkey writes "Cryptographers have discovered a way to hack Bluetooth-enabled devices even when security features are switched on, according to a report from New Scientist.com. The discovery may make it even easier for hackers to eavesdrop on conversations and charge their own calls to someone else's cellphone. From the article: 'Our attack makes it possible to crack every communication between two Bluetooth devices, and not only if it is the first communication between those devices,'"

10 of 137 comments (clear)

  1. Funny quote by MyLongNickName · · Score: 3, Insightful

    "Too many people are thinking of security instead of opportunity. They seem more afraid of life than death. -- James F. Byrnes"

    At bottom of Slashdot screen :)

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  2. Finally... by Mattygfunk1 · · Score: 3, Funny

    ...an excuse for my "adult" calls on my phone bills.

    __
    free funny videos
    1. Re:Finally... by MyLongNickName · · Score: 3, Insightful

      Does your mom make you do chores until you pay them off? You'd think once you hit 32, she'd stop doing that.

      --
      See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  3. Re:Article is missing an important detail by wyoung76 · · Score: 3, Informative
    From TFA:

    Wool and Shaked have managed to force pairing by pretending to be one of the two devices and sending a message to the other claiming to have forgotten the link key.

    So, it's an automatic and remote attack which doesn't rely upon any cooperation from either of the two original Bluetooth devices.

  4. Re:A fix... by plover · · Score: 4, Informative
    Don't use bluetooth! To me it seems very unnessesary to have a bt enabled phone.

    Then not only didn't you RTFA, but apparently you haven't used Bluetooth, either. Bluetooth is an extremely useful mechanism for many of us. It lets my PDA get on line; and when I hop in my vehicle, my car stereo magically becomes my car phone whenever it rings.

    I just wish more devices were Bluetooth enabled (and that this security hole didn't exist.) As is, I'm not losing sleep over this as I don't have a public-transit commute (the sort of place where breaks seem most likely to happen.)

    --
    John
  5. 4-digit PIN is the heart of the problem by G4from128k · · Score: 3, Insightful

    Reading between the lines, it seems that the short nature of the PIN code is a key to the exploit. The attacker forces a re-pairing, listens to the re-pairing exchange, and then tries all possible PIN codes to determine which one is the right one. Because a 4-digit PIN has only 10,000 possibilities, it's easy to brute force it.

    A longer alphanumeric PIN might be a first step to making this exploit much less practical -- increasing the PIN search time from a fraction of a second to hours or days.

    This looks like another classic example of the fundemental tradeoff between usability and security.

    --
    Two wrongs don't make a right, but three lefts do.
    1. Re:4-digit PIN is the heart of the problem by nacturation · · Score: 3, Insightful

      You can't brute-force 10,000 combinations with a good hope of succeeding if you only get three tries. Even a 25 second wait after 3 incorrect PINs would make the attack last a full day.

      I could be wrong, but my understanding is that you record the negotiation process, during which the unknown PIN is exchanged. You can then go offline and figure out which PIN number would have resulted in the particular set of data exchanged during the negotation. Then, you can go back online, having bruted the correct PIN, and Bob's your uncle.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  6. Re:Article is missing an important detail by Sancho · · Score: 3, Insightful

    The article isn't clear.

    They imply that part of the pairing process is inputting the 4 digit PIN. If this is the case, user intervention would be required for re-pairing. Maybe the article wasn't as precise as possible regarding the process, but it distinctly uses the above terminology which, to me, implies manual input.

    Perhaps the devices remember the PIN if the link-key is forgotten, thus removing the need for user intervention? That would explain the bit in the article about trying every PIN (a 4-digit PIN seems pretty ridiculously small, regardless).

  7. Re:Article is missing an important detail by MadRocketScientist · · Score: 5, Informative

    Digging up their paper, it seems that it is not automatic:

    If the attack is successful, the Bluetooth user will need to enter the PIN again - so a suspicious user may realize that his Bluetooth device is under attack and refuse to enter the PIN.

  8. Not such a big threat by Zarhan · · Score: 3, Informative

    Ok, before this the attacker could only attack when the target link was forming.

    With this, you can force them to re-form at will.

    Even so, you still need to bruteforce the PIN. The "PIN" is really a 16-byte field, and is not really limited to numeric (or even alphanumeric) characters.

    So what can be done:

    1) Start using long PIN codes (if your device is limited to numbers, at least use the maximum length)
    2) Software update that notifies user of the "forced re-pairing"
    3) Allow users to use PIN's beyond the numeric space or possibility to use some pre-shared secret keys.

    This affects those of you who use "1234" or similar keys for pairing process for convenience.