Bluetooth just cannot catch a break. The latest blow is a report by two Israeli security researchers (one of them a graduate student) detailing how it is possible to take control of Bluetooth-equipped mobile phones, even when the handsets have the security features switched on. This takeover uses a breaching technique which Ollie Whitehouse of @Stake detailed last year. An attacker with the right eqiupment can connect to a Bluetooth handset without authorization, and once the connection is established, the attacker may make calls on the target's handset, siphon off data, and listen in on data transfers between the Bluetooth-equiped device and other devices. Security firms already recommend that those dealing with sensitive information avoid Bluetooth handsets; this recommendation will now become even more emphatic.
It is important to note the difference between the technique described by Whitehouse and the one now detailed by Avishai Wool and Yaniv Shaked of Tel Aviv University. The "old" technique required the attacker to listen in on the pairing procedure between two Bluetooth devices; the new procedure allows a hacker to compel two Bluetooth devices to repeat the pairing procedure, thus giving the attacker the oportunity to listen in and ascertain the PIN used to protect the connection. Wool and Shaked used the information gathered from the compelled pairing exchange to determine the PIN in 0.06 to 0.3 seconds for a 4-digit PIN. All this cannot make Blutooth's supporters happy.
For more on Bluetooth's security vulnerabilities:
- see Matthew Broersma's Techworld discussion