New Scientist on the BlueTooth Vulnerability
(Picture credit http://www.tomsnetworking.com)
I wrote a bit last week on the implications of the recently discovered vulnerabilities in the BlueTooth protocol. The weaknesses, combined with hacking innovations such as the BlueSniper rifle, make it easy to sniff or even co-opt BlueTooth networks at distances in excess of a mile. New firmware, anyone?
The best description of the vulnerability I've yet read is this excerpt from an article in New Scientist:
|During pairing, two Bluetooth devices establish the 128-bit secret “link key” that they then store and use to encrypt all further communication. The first step requires the legitimate users to type the same secret, four-digit PIN into both devices. The two devices then use this PIN in a complex process to arrive at the common link key.|
Whitehouse showed in 2004 that a hacker could arrive at this link key without knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can record the exchanged messages being used to derive the link key and feed the recordings to software that knows the Bluetooth algorithms and can cycle through all 10,000 possibilities of the PIN. Once a hacker knows the link keys, Whitehouse reasoned they could hijack the device.
But pairing only occurs the first time two devices communicate. Wool and Shaked have managed to force pairing by pretending to be one of the two devices and sending a message to the other claiming to have forgotten the link key. This prompts the other device to discard the link key and the two then begin a new pairing session, which the hacker can then use.
In order to send a “forget” message, the hacker must simply spoof one of the devices personal IDs, which can be done because all Bluetooth devices broadcast this automatically to any Bluetooth device within range.
“Having it done so easily is surprising,” says Schneier. He is also impressed by the fact that Wool and Shaked have actually implemented Whitehouse’s idea in real devices.
They show that once an attacker has forced two devices to pair, they can work out the link key in just 0.06 seconds on a Pentium IV-enabled computer, and 0.3 seconds on a Pentium-III. “This is not just a theoretical break, it’s practical,” says Schneier.
New Scientist: New hack cracks 'secure' Bluetooth devices