Gaps still pain Bluetooth security

The latest specification of Bluetooth, a popular short-range wireless technology, has left serious security issues unfixed, according to a wireless researcher. The glitch in the Bluetooth 1.2 technology is related to how it deals with the personal identification number (PIN) that's used to protect data, Ollie Whitehouse, a researcher for digital security firm @Stake, said at the CanSecWest security conference here on Wednesday. An analysis of the specification has shown that the identifier can be broken, according to Whitehouse. This can be done using specialized hardware to capture certain data transferred between Bluetooth-enabled devices when they first contact each other. Once the information is collected, an eavesdropper could listen to cell phone calls, grab personal information as it is synchronized with a computer or counterfeit signals from one device to the other.

"People who use Bluetooth, if they use short PINs, are exposing data on the device," Whitehouse said. "Moreover, people who wander around with an active Bluetooth device may be tracked by a knowledgeable security person."

The discovery is the latest security problem to be found with Bluetooth technology. Previous attack approaches have gone by such colorful names as "Redfang," which exposes the location of hidden Bluetooth devices, and "Bluestumbling" (also known as "Bluesnarfing"), which allows an attacker to grab information from certain makes of phones that have poorly implemented security.

Read Full Story