Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/18/2008
12:56 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CSI: Hacking Bluetooth 2.1 Passwords

Researcher pokes holes in Bluetooth security improvements

NATIONAL HARBOR, MD -- CSI 2008 -- If you think Bluetooth is getting safer, think again: A researcher has revealed glaring security flaws in the newest version of the wireless protocol that let an attacker stage simple man-in-the-middle hacks.

Bluetooth Version 2.1, which is gradually becoming available in Bluetooth-enabled devices, in some cases is less secure than the previous version, 2.0, said Andrew Lindell, chief cryptographer for Aladdin Knowledge Systems and assistant professor at Bar-Ilan University in Israel, here today at the CSI 2008 Security Reconsidered conference.

Lindell says the password protocol is not secure and can be easily manipulated by an attacker. Key Bluetooth headsets and keyboards are also left unprotected under this new protocol version, which was built to use less power and to lock down Bluetooth devices from man-in-the middle and other attacks. "I found that the password protocol is not secure in the way we would expect. It's secure as long as a one-time password only is used, but that's not mandatory in the specification," Lindell says. "The biggest problem is that it's very easy to get Version 2.1 wrong and hard to [ensure] the implementation is very secure."

When two Bluetooth devices begin their handshake, they advertise their IP address and common names, such as "Andrew" for a PDA, he says. A nearby attacker with a Bluetooth-enabled laptop, for example, would see these devices and advertise itself as "Andrew."

Andrew's laptop sees the two Andrew PDAs and randomly chooses one, he says. "There's one half of a chance that it will get the attacker's laptop," Lindell says. "The attacker doesn't have to catch any traffic in the middle or block any -- it just advertises itself as the other one and hopes to be connected."

And in the Passkey mode of Version 2.1, where Device A and Device B swap secret passcodes, an attacker can get around this level of protection because the new Bluetooth specification doesn't mandate that all devices deploy this level of security. "When devices initiate pairing, they have to exchange I/O capabilities to decide what mode [of security] to use," Lindell says.

So if a device, such as a mouse, does not support this feature, man-in-the-middle protection is not required. "Just because there are these different modes completely opens you up...an attacker can say, 'I only work with legacy pairing,'" and not passkey pairing, he says, to make an unauthorized connection to the device.

Another problem is that passkeys can easily be intercepted and read. With Version 2.1, it takes only 20 computations for an attacker to figure out the password, which was not the case with the previous version of Bluetooth, Lindell says. The main problem with 2.1 here are the fixed passkeys, which can be easily cracked, no matter their length, he says. And user-entered passkeys are also insecure, he says.

A better approach would be a one-time, randomly generated password for Bluetooth devices. But that won't work with devices, like headsets, that don't have displays or interfaces, and adding this feature would likely price them out of range, he notes.

"Bluetooth 2.1, with all of its promises of great security, is made up of multiple protocols" that can be bypassed, Lindell says. "But the bottom line is [Bluetooth manufacturers] can do a reasonable job" securing their devices with it.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25250
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privil...
CVE-2021-25253
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to exec...
CVE-2021-28645
PUBLISHED: 2021-04-13
An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target ...
CVE-2021-28646
PUBLISHED: 2021-04-13
An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
CVE-2021-28647
PUBLISHED: 2021-04-13
Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.