New Crack Bites Bluetooth Security

Opinion: Larry Loeb looks at an exploit that could allow rogue devices to hijack Bluetooth sessions, and reaffirms his distaste for the protocol.

Ive never liked Bluetooth devices. They have always seemed finicky to me, especially the process where they "pair" with each other in order to communicate.

It may well be that this dislike stemmed from a review I tried to do a few years ago on a Bluetooth headset for mobile phones.

I spent many hours trying to get a phone and the headset to talk to each other, only to find that the phone was running an earlier version of the Bluetooth standard than the headset was using.

It was enormously frustrating to me, because there was no indication in the entire process of why the failure was occurring. It just didnt work.

So, learning about a new and inventive way to totally crack the protocols security brought a small, thin smile of revenge to my lips as I recalled the frustration of that past review.

The crack was based on that very lack of user feedback, allowing a rogue command to spoof the user into providing the shared secret key that is used to pair the devices and then encrypt the data stream.

A Bluetooth-eavesdropping cracker first forcibly terminates an existing session, then tells the target user "Oops, Im the device you were just talking to and I forgot the secret key, so please resend it."

The user has no idea that is a spoof (because the protocol does not provide for this situation to be verifiable or authenticated) and so resends the key. Bingo, the attacker hijacks the session.

This kind of wireless attack on the pairing PIN was no real big surprise , considering the basic outline of it had been laid down by Ollie Whitehouse at CanSecWest, outlined here in PDF form, in Vancouver in April 2004 .

But the new attack requires a specific message to be sent at a specific time in the protocol, something an off-the-shelf Bluetooth device cant do. A custom device sure could, however.

The really the inventive and evil part of the exploit is the social engineering aspect.

The Bluetooth spec leaves a loophole that allows an attacker to query the attack-ee directly in a believable manner.

These guys realized how valuable to an attack that approach could prove to be, and just ran with it. Its just like using the telephone to get passwords from support personnel by spoofing them, but automated.

So, what can we do about it? The average Joe User cant crack your cell phone in the next six months, but a motivated and technically sophisticated attacker could with custom hardware.

However, anything that stops the attack-ee from sending the PIN wirelessly would interfere with the attackers need to eavesdrop before instituting the attack.

A user being suspicious of and non-compliant with sudden, unexpected re-pairing attempts could eliminate the "social engineering" component of the attack.

If you are looking at your Bluetooth keyboard in a new light, consider that devices that come shipped with a fixed PIN (like keyboards) should be less vulnerable to this kind of attack because they dont re-pair as often as devices with a variable PIN that requires user input.

But since I never have liked Bluetooth things and since I dont use any of them, I dont have to worry about it.

My gut feeling eventually proved to be right about a technology that seemed to be too light to do the job with any robustness.

Not that I cant flub one tomorrow, but I guess I can still pick em now and then.


Check out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.