By Peter Judge
Special to CNET News.com
June 27, 2005
Bluetooth, the wireless connection used on PDAs and phones, is not
safe unless you use an eight-digit PIN to secure devices, an industry
group has warned.
The Bluetooth Special Interest Group has told people to set
eight-digit PINs when pairing two devices and to take other
precautions, after a report described a way for hackers to crack the
security codes on Bluetooth devices and seize control of them.
For security, Bluetooth devices will not communicate until they have
"paired"--a one-off process in which both devices must enter the same
PIN, or personal identification number. A hacker that listens in on
the pairing process can decode the PIN and then take control of the
link, siphon off data or, potentially, take control of either of the
Because Bluetooth has a short range, and pairing is a one-off process
between any two devices, most users were considered safe--until an
extension of the attack was described this month by Yaniv Shaked and
Avishai Wool of Tel Aviv University in Israel.
The new attack can force two Bluetooth devices to come "unpaired," the
researchers said. When the user pairs them again, the hacker can
listen to the pairing process and crack the PIN.
The simplest way to force Bluetooth devices to re-pair is to send a
message that purports to come from one of them, claiming to have lost
the key. Three ways to force re-pairing are described in "Cracking the
Bluetooth PIN", presented by Avishai Wool and Yaniv Shaked of Tel Aviv
University, at the Mobisys conference in Seattle.
Previous Next The Bluetooth SIG's advice echoes that of Wool and
Shaked--don't re-pair in a public place, where someone else might
eavesdrop, and use a longer PIN.
"When you pair devices for the first time, do this in private--at home
or in the office," the SIG advised in a statement last week. "If your
devices become unpaired while you are in public, wait until you are in
a private, secure location before re-pairing your devices, if
"Always use an eight character alphanumeric PIN code as the minimum,"
the SIG said. "You only have to enter this once, so (a longer code) is
not a hardship given the security benefits."
The group agrees with the researchers that a PC can crack a four-digit
code in a tenth of a second, but reckons an eight-digit PIN would take
100 years to break, making this crack "nearly impossible." Some
devices, such as headsets, include a factory-set four-digit PIN, but
most devices like phones allow users to set the PIN they want.
The SIG is also at pains to assure people that the hack is only an
academic paper at present. "The equipment needed for this process is
very expensive and primarily used by developers only," its advice
reads. "It is highly unlikely that a normal user would ever encounter
such an attack."
As ever, knowledge is important. "The attack also relies on a degree
of user gullibility, so understanding the Bluetooth pairing process is
an important defense," the SIG said.
Peter Judge of ZDNet UK reported from London.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.