June 16, 2005
May Be Open
By KEITH J. WINSTEIN
Staff Reporter of THE WALL STREET JOURNAL
Your Bluetooth device may have a hole in it.
A wireless-communications standard, Bluetooth is one of the fastest-growth stories in high technology. The system was installed in 92 million headsets, cellphones, portable computers and other devices sold world-wide in 2004, and the number of such products is expected to more than double to 186 million this year, according to technology watchers at IDC Corp.
But last week, at a technology conference in Seattle, two Israeli experts presented research that could give Bluetooth users pause. They showed that the security systems used in many Bluetooth devices are susceptible to cracking by eavesdroppers.
Although the researchers, Avishai Wool and Yaniv Shaked of Tel Aviv University, didn't try to build an eavesdropping device -- and no Bluetooth breaches have been reported -- the new findings are stirring concerns about the vulnerability of devices equipped with the technology. Using their research, security experts said, a device capable of tapping into Bluetooth gear could be built for about $2,000.
The Israelis' work is "really impressive," said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., a Mountain View, Calif., consultant. "Bluetooth was not designed with security in mind. It was sloppily designed."
The findings come at a time of broader concerns about wireless-data security. Many experts consider the security features of Wi-Fi, a widely used wireless Internet-access standard, to be flawed. Child pornographers and fraudsters who don't want to leave a trail back to their own computers have been tapping into unsuspecting neighbors' Wi-Fi networks to go online, the U.S. Secret Service said recently.
Bluetooth technology -- found in many Palm PDAs, Pocket PCs and about 10% of all cellphones -- has had other security problems that manufacturers have repaired. This time, Dr. Wool and Mr. Shaked found a new flaw in the way Bluetooth devices keep transmissions secret.
To link up two Bluetooth-enabled devices, such as a wireless headset to a cellphone, each device needs to know a special security code, as well as a set of randomly generated digits. But almost all of the major headset makers, including Motorola Inc., Nokia Corp., Logitech International SA and the Jabra division of GN Store Nord AS, set the same security code on their headsets -- 0000 -- and it usually can't be changed by the consumer.
Knowing that, an eavesdropper needs to figure out the random digits. Dr. Wool and Mr. Shaked said an eavesdropper could generate a special signal that would disrupt a Bluetooth connection and require the user to retype the security code, and thus generate another random number -- giving an opportunity for the listener to capture it. Using both that random number and the "0000" code, the connection could be tapped.
Other Bluetooth devices, such as hand-held computers, allow users to type in their own security code. The longer the string of numbers, the more secure the connection -- and the harder it is for a wireless hacker to figure it out.
But instead of using a string of 16 letters and numbers -- which is recommended by the group that develops Bluetooth standards -- many manufacturers of the gear allow security codes of only four numbers. And such a code could be readily discovered by an ordinary personal computer that can try out all 10,000 possible combinations of four digits in a tenth of a second, the researchers reported at last week's conference of the Association for Computing Machinery's mobile systems specialists.
All this means that someone sitting with a special radio receiver within a few hundred feet of a user might be able to eavesdrop on a conversation from a Bluetooth headset or tap into email that is being transferred from a laptop computer to a hand-held device.
Bluetooth SIG Inc., the Bellevue, Wash., trade group that controls the technology, said it has long recommended longer alphanumeric passwords. But many manufacturers regard that as too inconvenient for customers. "We see this as a wake-up call to manufacturers," said Jay Caras, Bluetooth SIG's senior marketing manager. "Either out of a lack of knowledge or laziness, they've not done as good a job in securing their Bluetooth link as they could. And it's not a big deal to do more."
Fred Zimbric, the product manager for Bluetooth accessories at Motorola, said "we definitely take this seriously," but added the eavesdropping risk is low. Longer passkeys, he said, are not practical and consumers have rejected them in the past. Fixing the Bluetooth problem, Mr. Zimbric said, "is going to turn consumers off more than it's going to make things safe." Motorola is a member of Bluetooth SIG along with 3,000 other companies.
"Nothing's perfectly secure," said Michael Roberts, the global product manager for mobile-phone accessories at Logitech. "It's a trade-off between making it very convenient for the customer. On the flip side of that is making it very secure." Representatives of Jabra and Nokia declined to comment.
In the next version of its specifications, due out early next year, Bluetooth SIG will issue recommendations for making longer password easier for manufacturers to use, according to Joel Linsky, a radio engineer who heads the organization's standards working group. But "it's not an easy problem to solve," he said.
Write to Keith J. Winstein at firstname.lastname@example.org