After two Israeli researchers published a paper earlier this month explaining how security mechanisms in short-range wireless Bluetooth technology could be quickly undermined, members of the Bluetooth Special Interest Group (SIG) are
now urging users
to take several precautions.
Bluetooth, a radio technology that allows users to exchange data over the airwaves at a distance of around 10 meters, has been a target of intrusion attacks in the past.
Bluetooth security is essentially based on devices generating a secure connection through a pairing process. During this process, a user of one of the devices needs to enter a PIN code, which is used by internal algorithms to generate a secure key. This key is then used to authenticate the devices whenever they connect in the future.
But the findings of the Israeli researchers suggest the technology may be even more susceptible to attack than previously known.
The academic paper puts forward a theoretical process that could potentially “guess” the security setting on a pair of Bluetooth devices, according to the Bluetooth Web site. To do so, the attacking device needs to listen in to the initial one-time pairing process. Form this point, it can use an algorithm to guess the security key and masquerade as the other Bluetooth device.
What is new in this paper, according to the Bluetooth SIG, is an approach that forces a new pairing sequence to be conducted between the two devices and an improved method of performing the guessing process, which brings down the time significantly from previous attacks.
Even though this is an academic analysis of Bluetooth security and not a reported, real-life intrusion, SIG members, which include IBM Corp., Intel Corp., Nokia Corp., Microsoft Corp. and Motorola Inc., want to quickly eliminate any concerns users may have. On the official
Bluetooth Web site, the group offers three basic elements of good practice to help safeguard from attack:
When pairing devices for the first time, do so in private at home or in the office and avoid public places;
Always use an eight character alphanumeric PIN (personal identification number) code as the minimum. The more characters within the code, the more difficult it is to crack;
If your devices become unpaired in a public place, wait until you are in a private, secure location before re-pairing them.