Want CNET to notify you of price drops and the latest stories?

Expert: Gaps still pain Bluetooth security

Eavesdroppers with the right gear could breach the security in the latest specification of the wireless technology, giving them access to data on cell phones.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
VANCOUVER, British Columbia--The latest specification of Bluetooth, a popular short-range wireless technology, has left serious security issues unfixed, according to a wireless researcher.

The glitch in the Bluetooth 1.2 technology is related to how it deals with the personal identification number (PIN) that's used to protect data, Ollie Whitehouse, a researcher for digital security firm @Stake, said at the CanSecWest security conference here on Wednesday.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

An analysis of the specification has shown that the identifier can be broken, according to Whitehouse. This can be done using specialized hardware to capture certain data transferred between Bluetooth-enabled devices when they first contact each other. Once the information is collected, an eavesdropper could listen to cell phone calls, grab personal information as it is synchronized with a computer or counterfeit signals from one device to the other.

"People who use Bluetooth, if they use short PINs, are exposing data on the device," Whitehouse said. "Moreover, people who wander around with an active Bluetooth device may be tracked by a knowledgeable security person."

The discovery is the latest security problem to be found with Bluetooth technology. Previous attack approaches have gone by such colorful names as "Redfang," which exposes the location of hidden Bluetooth devices, and "Bluestumbling" (also known as "Bluesnarfing"), which allows an attacker to grab information from certain makes of phones that have poorly implemented security.

Nokia, one manufacturer whose phones could be affected by a Bluestumbling attack, announced on Thursday that it would provide an update to solve that issue.

Bluetooth is a short-range wireless networking technology that allows portable devices such as cell phones and handhelds to communicate and share data at transfer rates up to 720 kilobits per second. While the technology may be widely installed, analysts have said it is not clear that there is strong consumer demand for the technology.

Recently, ultrawideband has been viewed as a competing short-range wireless technology because of its faster transfer rates of 480 megabits per second. But so far, manufacturers have only used it in consumer electronics devices such as televisions and set-top boxes. Additionally, the development of ultrawideband has been slowed by a standards battle.

Whitehouse said the security track record of the Bluetooth technology has been disappointing.

"We have already had three revisions of the specification out there," Whitehouse said, estimating that there could be as many as 40 million devices that use Bluetooth 1.2 and earlier versions. "I think this attack could be effective for the next three years."

@Stake has recommended that traders working for financial companies should not use Bluetooth headsets on the floors of stock exchanges.

Fortunately, to launch an attack using the flaw exposed Wednesday is not simple and can be expensive. @Stake found that an attacker has to be able to eavesdrop on the initial negotiation between two Bluetooth devices, called "bonding." The would-be eavesdropper has to collect some key data during that process to have enough information to crack secret PIN codes, according to Whitehouse.

The length of time it takes to crack the code depends on the number of digits a person uses in his or her code. A 6-digit PIN can be broken in just more than 10 seconds, while a 16-digit PIN would take more than a million days to crack, he said. Many Bluetooth-enabled headsets use 4-digit PINs that can be broken in less than a second.

However, a common hacker would unlikely be able to launch such an attack, said Ben Laurie, the technical director for The Bunker, a U.K. secure hosting provider and a creator of the Bluestumbling method.

"You can't just use an ordinary Bluetooth card," he said. "The attack requires some pretty hefty equipment."

The specialized gear for hacking Bluetooth signals could cost more than $15,000, Whitehouse said. However, he added that certain programmable wireless cards that cost less than $1,000 could be turned into Bluetooth-eavesdropping equipment, with proper research.

Whitehouse stressed that smart users can defend their devices against the security problem. He recommended that users create PIN passwords with a large number of digits; a 10-digit password would take weeks to crack. In addition, Bluetooth users should avoid initially connecting their devices in a public place in order to limit the information a potential attacker could collect.

However, he warned that a side effect of Bluetooth-enabled devices would be harder to foil: surveillance. Using inexpensive electronics, anyone could create a Bluetooth device that would be able to detect another device as far as a kilometer away, allowing police and hackers to track people via their cell phones.

"There is nothing we can do to prevent the tracking, other than disabling Bluetooth," he said.