• Print
  • ncc-banner-902-x-177-june-2017
  • ces_web_banner_toner_news_902x1776
  • mse-big-banner-new-03-17-2016-416716a-tonernews-web-banner-mse-212
  • 05 02 2016 429716a-cig-clearchoice-banner-902x177
  • 2toner1-2
  • cartridgewebsite-com-big-banner-02-09-07-2016
  • clover-depot-intl-us-ca-email-signature-05-10-2017-902x1772
  • 4toner4
  • banner-01-26-17b


 user 2005-06-09 at 9:30:00 am Views: 113
  • #9842
    New hack cracks ‘secure’ Bluetooth devices June 2005

    Cryptographers have discovered a way to hack Bluetooth-enabled devices even
    when security features are switched on. The discovery may make it even easier
    for hackers to eavesdrop on conversations and charge their own calls to someone
    else’s cellphone.

    Bluetooth is a protocol that allows different devices including phones,
    laptops, headsets and printers to communicate wirelessly over short ranges –
    typically between 10 and 100 metres.

    Over the past few years security experts have devised many ways of hacking
    into Bluetooth communications, but most require the Bluetooth security features
    to be switched off.

    In April 2004, UK-based Ollie Whitehouse, at that time working for security
    firm @Stake, showed that even Bluetooth devices in secure mode
    could be attacked. His method allowed someone to hijack the
    phone, giving them the power to make calls as if it were in their own hands.

    Pairing up

    But this technique did not pose a serious risk because it could be performed
    only if the hacker happened to catch two Bluetooth devices just before their
    first communication, during a process known as “pairing”.

    Before two Bluetooth devices can communicate they must establish a secret key
    via this pairing process. But as long as the two devices paired up in a private
    place there was no risk of attack, explains Chris McNab of the UK security firm

    Now Avishai Wool and Yaniv Shaked of Tel Aviv University in Israel have
    worked out how to force devices to pair whenever they want. “Our attack makes it
    possible to crack every communication between two Bluetooth devices, and not
    only if it is the first communication between those devices,” says Shaked.

    “Pairing allows you to seize control,” says Bruce Schneier, a security expert
    based in Mountain View, California. “You can sit on the train and make phone
    calls on someone else’s phone.”

    Sniffing the airwaves

    During pairing, two Bluetooth devices establish the 128-bit secret “link key”
    that they then store and use to encrypt all further communication. The first
    step requires the legitimate users to type the same secret, four-digit PIN into
    both devices. The two devices then use this PIN in a complex process to arrive
    at the common link key.

    Whitehouse showed in 2004 that a hacker could arrive at this link key without
    knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can
    record the exchanged messages being used to derive the link key and feed the
    recordings to software that knows the Bluetooth algorithms and can cycle through
    all 10,000 possibilities of the PIN. Once a hacker knows the link keys,
    Whitehouse reasoned they could hijack the device.

    But pairing only occurs the first time two devices communicate. Wool and
    Shaked have managed to force pairing by pretending to be one of the two devices
    and sending a message to the other claiming to have forgotten the link key. This
    prompts the other device to discard the link key and the two then begin a new
    pairing session, which the hacker can then use.

    Surprisingly easy

    In order to send a “forget” message, the hacker must simply spoof one of the
    devices personal IDs, which can be done because all Bluetooth devices broadcast
    this automatically to any Bluetooth device within range.

    “Having it done so easily is surprising,” says Schneier. He is also impressed
    by the fact that Wool and Shaked have actually implemented Whitehouse’s idea in
    real devices.

    They show that once an attacker has forced two devices to pair, they can work
    out the link key in just 0.06 seconds on a Pentium IV-enabled computer, and 0.3
    seconds on a Pentium-III. “This is not just a theoretical break, it’s
    practical,” says Schneier.

    Shaked and Wool will present their findings at the MobiSys conference next
    Monday in Seattle, Washington, US