CYBER EYE

Bluetooth's bite is missing a few teeth

William Jackson

The Bluetooth wireless networking standard is named for King Harald Bluetooth, who unified Denmark and Norway. A glance at a map of Scandinavia today will tell you that unification didn't take. Apparently, the king's security wasn't good enough.

The same thing is being said of his wireless namesake.

Bluetooth has built-in security at the link level, including frequency hopping over 79 channels'23 in Europe'and key generation for authentication and encryption.

But Markus Jakobsson and Susanne Wetzel, researchers at the Bell Labs Information Sciences Research Center in Murray Hill, N.J., have found vulnerabilities in the specification that could let intruders steal keys to eavesdrop on or impersonate devices.

The risks so far are minimal because the technology is in its commercial infancy. Only a handful of Bluetooth PC Cards, headsets and wireless phones are on the market.

The problem is that the technology, which works up to about 30 feet, was developed as a wireless alternative to cables for mobile devices and peripherals, said Susan Payne, director of Bluetooth business development at Certicom Corp. of Hayward, Calif.

'The driving force behind Bluetooth remains cable replacement,' Payne said. Relatively stationary wireless connections could be secured adequately. But for mobile computing through public access points, 'the requirements change dramatically,' she said.

Bluetooth connections, once established, exchange symmetric keys'if not in the clear, at least with a low level of security. By breaking a personal identification number during the key exchange, an eavesdropper could figure out a device's unique key, unravel encryption and predict frequency-hopping patterns.

Once a device was compromised, a nearby intruder could listen in on phone exchanges, hijack sessions, even alter documents on the way to a printer.

A hacker would need a good understanding of Bluetooth and would have to be in the right place at the right time'within 30 feet, after all.

But even the possibility of a compromised link between two devices could invalidate all other security measures.

Featured

  • Pierce County

    CARES dashboard ensures county spending delivers results

    The CARES Act Funding Outcomes Dashboard helps Pierce County, Wash., monitor funding and key performance indicators for public health emergency response, economic stabilization and recovery, community response and resilience, and essential government services.

  • smart city challenge

    AI-based traffic management improves mobility, saves fuel, cuts pollution

    Researchers are developing a dynamic feedback traffic signal control system that reduces corridor-level fuel consumption by 20% while maintaining a safe and efficient transportation environment.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.