Posted on 06/03/2005 5:21:44 PM PDT by LaserLock
Cryptographers have discovered a way to hack Bluetooth-enabled devices even when security features are switched on. The discovery may make it even easier for hackers to eavesdrop on conversations and charge their own calls to someone else’s cellphone.
Bluetooth is a protocol that allows different devices including phones, laptops, headsets and printers to communicate wirelessly over short ranges - typically between 10 and 100 metres.
Over the past few years security experts have devised many ways of hacking into Bluetooth communications, but most require the Bluetooth security features to be switched off.
In April 2004, UK-based Ollie Whitehouse, at that time working for security firm @Stake, showed that even Bluetooth devices in secure mode could be attacked. His method allowed someone to hijack the phone, giving them the power to make calls as if it were in their own hands.
Pairing up
But this technique did not pose a serious risk because it could be performed only if the hacker happened to catch two Bluetooth devices just before their first communication, during a process known as “pairing”.
Before two Bluetooth devices can communicate they must establish a secret key via this pairing process. But as long as the two devices paired up in a private place there was no risk of attack, explains Chris McNab of the UK security firm TrustMatta.
Now Avishai Wool and Yaniv Shaked of Tel Aviv University in Israel have worked out how to force devices to pair whenever they want. “Our attack makes it possible to crack every communication between two Bluetooth devices, and not only if it is the first communication between those devices,” says Shaked.
“Pairing allows you to seize control,” says Bruce Schneier, a security expert based in Mountain View, California. “You can sit on the train and make phone calls on someone else’s phone.”
Sniffing the airwaves
During pairing, two Bluetooth devices establish the 128-bit secret “link key” that they then store and use to encrypt all further communication. The first step requires the legitimate users to type the same secret, four-digit PIN into both devices. The two devices then use this PIN in a complex process to arrive at the common link key.
Whitehouse showed in 2004 that a hacker could arrive at this link key without knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can record the exchanged messages being used to derive the link key and feed the recordings to software that knows the Bluetooth algorithms and can cycle through all 10,000 possibilities of the PIN. Once a hacker knows the link keys, Whitehouse reasoned they could hijack the device.
But pairing only occurs the first time two devices communicate. Wool and Shaked have managed to force pairing by pretending to be one of the two devices and sending a message to the other claiming to have forgotten the link key. This prompts the other device to discard the link key and the two then begin a new pairing session, which the hacker can then use.
Surprisingly easy
In order to send a “forget” message, the hacker must simply spoof one of the devices personal IDs, which can be done because all Bluetooth devices broadcast this automatically to any Bluetooth device within range.
“Having it done so easily is surprising,” says Schneier. He is also impressed by the fact that Wool and Shaked have actually implemented Whitehouse’s idea in real devices.
They show that once an attacker has forced two devices to pair, they can work out the link key in just 0.06 seconds on a Pentium IV-enabled computer, and 0.3 seconds on a Pentium-III. “This is not just a theoretical break, it’s practical,” says Schneier.
Shaked and Wool will present their findings at the MobiSys conference next Monday in Seattle, Washington, US.
Damned interesting article, LL! Thanks
Oops.
Probably used the old long pronged tweezers and rolled it up, taking it from the bottom.
I can easily raise a check amount on the old Paymasters and F&E machines.
If these geeks would quit worrying about hacking into every freakin' device, maybe they could have a life!
FYI, its geeks like this that gave us the Apple PC. Its geeks like this that are going to come up with even stronger security methods in the future. Its geek like this that wrote the browser you are typing in. So, give it a rest.
Amazing that they would establish such a weak crypto system. 10,000 possibilities. Let's see how long it it would take an NSA supercomputer to crack that. I would guess about 1/10 of a nanosecond.
Ah, a classic "man in the middle attack" applied to wireless.
Presumably it could be foiled by pairing the devices with them adjacent so there would be a time-lag (yes in nanoseconds, but a time lag nonetheless) which would prevent the hacker's devices from pairing first.
Ah, I see I didn't read closely enough.
What blockhead came up with a 10,000 key private key encryption system as a basis for a wireless protocol? I realize public key or modern block ciphers would build in an unacceptable time delay for voice or image communication when one of the devices doesn't have a big processor, but surely we can do better than this.
The following is from a Yahoo group, I don't know if it's true:
Frist of all u have to get Bluetooth wireless connectivity mobiles.
Then u have to make a fake
contact. like " ur bluejacked" or " hi waz up" or if u see a girl
ask her about her contras of
the colours or any thing comparing to the environment. But remember
that don't give number to
that contact. After this u have to on your mobiles Bluetooth. Then
go to that contact that u have
made and press the options and u will see send via bluetooth. press
it, now ur mobile will start
searching bluetooth enabled devices. After searching he will show u
the list of devices. click
one of it and mobile will start sending that contact to selected
device.
but do this very secretly. don't show your mobile to any one but
don't block ur mobile with ur
hands. ok . now wait for message tone from some one mobile. when u
hear message tone look where
it came from. some time people get angry on getting bluetooth mobile
specially womens. that's why
u don't show ur mobile. then if u want to chat with that man or
woman send more messages but
don't send more then 3 messages if u don't get responce.
Bluejacking is not for disturbing other. it's for making friends and
wireless and cost free
chatting.
now i will tell you that u can do bluejacking with ur Laptop
because most of laptops come
with bulit in Bluetooth technology. u can send message from laptop
to mobile or from mobile to
laptop and from laptop to laptop and from mobile to mobile. :8
AFTER DOING ALL THIS TELL ME ABOUT WHOLE PROCESS AND SHARE UR
EXPERIENCE WITH ALL THE MEMBERS.
Hmm.. Clearly we have a graduate of the public schools here...
Nothing is inpenetrable--read "the art of deception" by Kevin Mitnick
The only unhackable system is powered off, locked in a crate, and sunk in the ocean. All security systems, whether electronic or otherwise, are always in a tradeoff with ease of use, effort, and money.
Bluetooth is such a great technology - I am glad this weakness was found before it is in every house, car, and tennis shoe.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.