Bluetooth, the wireless connection used on PDAs and phones, is not safe unless you use an eight-digit PIN to secure devices, an industry group has warned.
The Bluetooth Special Interest Group has told people to set eight-digit PINs when pairing two devices and to take other precautions, after a report described a way for hackers to
crack the security codes on Bluetooth devices and seize control of them.
For security, Bluetooth devices will not communicate until they have "paired"--a one-off process in which both devices must enter the same PIN, or personal identification number. A hacker that listens in on the pairing process can decode the PIN and then take control of the link, siphon off data or, potentially, take control of either of the devices.
Because Bluetooth has a short range, and pairing is a one-off process between any two devices, most users were considered safe--until an extension of the attack was described this month by Yaniv Shaked and Avishai Wool of Tel Aviv University in Israel.
The new attack can force two Bluetooth devices to come "unpaired," the researchers said. When the user pairs them again, the hacker can listen to the pairing process and crack the PIN.
The simplest way to force Bluetooth devices to re-pair is to send a message that purports to come from one of them, claiming to have lost the key. Three ways to force re-pairing are described in "Cracking the Bluetooth PIN", presented by Avishai Wool and Yaniv Shaked of Tel Aviv University, at the Mobisys conference in Seattle.
The Bluetooth SIG's advice echoes that of Wool and Shaked--don't re-pair in a public place, where someone else might eavesdrop, and use a longer PIN.
"When you pair devices for the first time, do this in private--at home or in the office," the SIG advised in a statement last week. "If your devices become unpaired while you are in public, wait until you are in a private, secure location before re-pairing your devices, if possible."
"Always use an eight character alphanumeric PIN code as the minimum," the SIG said. "You only have to enter this once, so (a longer code) is not a hardship given the security benefits."
The group agrees with the researchers that a PC can crack a four-digit code in a tenth of a second, but reckons an eight-digit PIN would take 100 years to break, making this crack "nearly impossible." Some devices, such as headsets, include a factory-set four-digit PIN, but most devices like phones allow users to set the PIN they want.
The SIG is also at pains to assure people that the hack is only an academic paper at present. "The equipment needed for this process is very expensive and primarily used by developers only," its advice reads. "It is highly unlikely that a normal user would ever encounter such an attack."
As ever, knowledge is important. "The attack also relies on a degree of user gullibility, so understanding the Bluetooth pairing process is an important defense," the SIG said.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
Join the conversation