CYBER EYE

Bluetooth's bite is missing a few teeth

William Jackson

The Bluetooth wireless networking standard is named for King Harald Bluetooth, who unified Denmark and Norway. A glance at a map of Scandinavia today will tell you that unification didn't take. Apparently, the king's security wasn't good enough.

The same thing is being said of his wireless namesake.

Bluetooth has built-in security at the link level, including frequency hopping over 79 channels'23 in Europe'and key generation for authentication and encryption.

But Markus Jakobsson and Susanne Wetzel, researchers at the Bell Labs Information Sciences Research Center in Murray Hill, N.J., have found vulnerabilities in the specification that could let intruders steal keys to eavesdrop on or impersonate devices.

The risks so far are minimal because the technology is in its commercial infancy. Only a handful of Bluetooth PC Cards, headsets and wireless phones are on the market.

The problem is that the technology, which works up to about 30 feet, was developed as a wireless alternative to cables for mobile devices and peripherals, said Susan Payne, director of Bluetooth business development at Certicom Corp. of Hayward, Calif.

'The driving force behind Bluetooth remains cable replacement,' Payne said. Relatively stationary wireless connections could be secured adequately. But for mobile computing through public access points, 'the requirements change dramatically,' she said.

Bluetooth connections, once established, exchange symmetric keys'if not in the clear, at least with a low level of security. By breaking a personal identification number during the key exchange, an eavesdropper could figure out a device's unique key, unravel encryption and predict frequency-hopping patterns.

Once a device was compromised, a nearby intruder could listen in on phone exchanges, hijack sessions, even alter documents on the way to a printer.

A hacker would need a good understanding of Bluetooth and would have to be in the right place at the right time'within 30 feet, after all.

But even the possibility of a compromised link between two devices could invalidate all other security measures.

inside gcn

  • artificial intelligence (vs148/Shutterstock.com)

    Government leans into machine learning

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group