Bluetooth loopholes need filling

A number of security loopholes in Bluetooth technology, similar to those that besieged Wi-Fi when it first launched, are still open for exploitation industry experts are warning.

  • E-Mail
By  Andrew Picken Published  December 28, 2003

A number of security loopholes in Bluetooth technology, similar to those that besieged Wi-Fi when it first launched, are still open for exploitation industry experts are warning.

"The weakest link in Bluetooth security occurs when pairing devices," explains Peter Firstbrook, senior research analyst with the research house, META Group.

"Pairing uses the Bluetooth address of the device - a fixed address established by the manufacturer - and a personal ID number (PIN) to establish a link key, which then becomes the shared secret for subsequent communication. During pairing, it is possible for a hacker to guess a short PIN and thus the link key, and then eavesdrop on all future conversations or impersonate devices in the pairing."

Other industry experts, who are calling for action now before the problem escalates, echo Firstbrook's concerns. "With this class of devices, wireless transmission of information leaves the office environment and travels anywhere an employee does," says Ollie Whitehouse, director of Security Architecture, for digital security consulting firm, @stake. "This means that third parties can access information without penetrating the physical security of an office or dealing with the problems of circumventing existing network security."

Another concern for the industry is that some Bluetooth devices are discoverable by default, so that other devices can attempt to communicate with them, and some allow full OS rights to peers by default once connected. "This practice can create an opportunity
for hackers to quietly drop off Trojan horse files or viruses, although there are no known practical exploits of Bluetooth security vulnerabilities," says Firstbrook.

"Many vendors release Bluetooth products with a best effort approach to security that can only compromise the integrity of the information held on those devices," says Whitehouse. "Vendors should understand these issues and risks and develop mechanisms for delivering security out of the box. While it's not a time to panic, it's certainly a time to act."

Short-range wireless Bluetooth technology is now being incorporated into numerous consumer devices, such as notebooks, cell phones and PDAs. The total number of Bluetooth devices expected to ship in 2003 is estimated at between 100 million and 125 million according to META, and it has also predicted shipments to increase 75% annually until 2005.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code