I admit it; I've been in denial about my cell phone habit.
I'm a multitasker on the phone and I tend to make calls when I'm in transit. Why not get some of those calls I have to make out of the way while I'm walking or driving? (I really do try to not use the phone while on the bus so as not to annoy other passengers, but sometimes it just can't be avoided.)
(Credit:
CNET News)
Of course, I've known for months that I was going to have to curb the habit while driving because of the hands-free law that went into effect for drivers in California three weeks ago. But I have been resisting buying a cell phone headset for a number of reasons.
For one, I find those cyborg-like devices sticking out of peoples' ears to be tacky. I'm sorry, but I do. Seeing people talking to themselves when they are not obviously on the phone is just off-putting.
Secondly, I had heard about security problems with Bluetooth and didn't want to have to figure it all out. Security experts discussed the risks to Bluetooth users at the Last HOPE (Hackers on Planet Earth) conference in New York last weekend, warning people to change the default password, turn off the headsets when not in use, and limit access to the data when communicating with other devices.
I also thought that buying a headset would unnecessarily feed a habit that I'd rather cut back on. I don't really like long phone conversations and I easily over dose on talking on the phone because I do it so much for my job. For me, getting a headset would be like getting TiVo when you're trying to watch less television.
But when I found myself tempted to break the law recently, needing to make a call while driving, I realized it was time to get one.
So I bought a standard Motorola variety for less than $50 on Tuesday night. Apparently, I'm not the only one thinking this way--a new study has found that the hands-free law boosted Bluetooth device sales to four times the national average.
On Wednesday, the U.S. CERT (Computer Emergency Readiness Team) decided the Bluetooth security risk was serious enough to publish a security advisory about it.
"Depending upon how it is configured, Bluetooth technology can be fairly secure," the advisory said. "Unfortunately, many Bluetooth devices rely on short numeric PIN numbers instead of more secure passwords or passphrases."
Basically, any device that can "discover" another Bluetooth device can send unsolicited messages or do things that could lead to extra fees, data being compromised or corrupted, data stolen in an attack called "bluesnarfing," or the device being infected with a virus, the advisory said.
To protect against these risks, Bluetooth owners should disable the technology when it is not being used, disable unnecessary features, and switch it to "hidden" mode, CERT said. Using "hidden" mode won't prevent me from using my headset with my phone because once the two devices have located each other, or paired, they will continue to be able to recognize each other thereafter.
Bluetooth users should also be careful where they are using the technology. For instance, using it in a public wireless "hotspot" poses a greater risk that someone else can intercept the connection than using it in your home or car, according to the advisory.
Now all I have to do is get something to protect me from the Bluetooth device's electromagnetic frequencies (EMFs), which may or may not pose health risks.
NEW YORK--Using a laptop, cell phone headset, building access badge, credit cards, or even a passport can make you a walking target for data thieves and other criminals, a security expert warned at the Last HOPE hacker conference here late Friday.
Security expert RenderMan discusses the insecurity of RFID chips, Bluetooth headsets and laptops using Wi-Fi at the Last HOPE hacker conference.
(Credit: Elinor Mills/CNET News)In a frightening but entertaining session entitled "How do I Pwn Thee? Let me Count the Ways" (pwn is hacker speak for "own" or control), a hacker who goes by the alias "RenderMan" explained how most people are at risk and don't even know it.
By now most people probably know they should be careful using Wi-Fi networks, especially public hotspots that don't encrypt data transmissions and where network access points can be spoofed. These issues leave Web surfers at risk of having their data stolen, receiving fake Web pages and other information, and having their computers completely taken over, he said.
Even airplane passengers who either ignore stewardess requests to disable Wi-Fi or don't know how to turn it off are not immune to attacks from others in the airplane, he added.
RenderMan suggests that people disable Wi-Fi when it is not in use and use VPNs and firewall software.
Bluetooth headset users are at risk because of a security hole in the technology and default PINs that don't get changed, he said. Exploiting vulnerabilities someone can break in and steal data from the phones, make calls without the cell phone owner knowing, listen in on and break into conversations, and even spy on people by turning the device into a bug.
He advises that people change the default password, disable the Bluetooth on the phones, turn off the headsets when not in use, and limit access to the data and features when communicating with other Bluetooth devices.
Many people don't realize that new U.S. passports have RFID technology with weak encryption that makes the data on the chip easy to read with the proper reader device. (See related video below).
The U.S. government attempted to mitigate the privacy threat by putting a metal foil layer on the front and back cover of the passports, but the stiffness of the foil pops the passport open as much as an inch, wide enough for RFID readers to snatch the data, RenderMan said, showing a video to demonstrate this.
"There is no rule that says that if the chip doesn't work, they will refuse you access to the border. You will get increased scrutiny, but it's still a valid document," he said. "So, liberal application of a hammer can negate a lot of the possible" problems.
But doing willful damage to the passport is a crime, one attendee pointed out. "I fell, really hard," RenderMan deadpanned.
RFID used in transit and building access badges has also been proven to be insecure, allowing someone to use an RFID reader to copy data off the card and make a clone of it, he said.
A security flaw in the Mifare Classic Chip used in transit systems is the subject of a court case in The Netherlands. The maker of the chip, NXP Semiconductors, sued to block a university from publishing details of the problems, but a court ruled on Friday that the research can be made public.
Even traditional keys are vulnerable, RenderMan said. For instance, photographs of spare keys for electronic-voting machines displayed on a Web page were used to make replicas with similar-looking keys, he said. A video demo showed how someone filed down a key from a hotel mini-bar and was able to open up the memory card slot of a Diebold voting system.
- prev
- 1
- next
