March 2007


Max Moser from Remote Exploit is pointing out, how to convert a regular 15€ Bluetooth Dongle into a 3000$10.000$ Bluetooth Sniffer. Nothing new so far, but first one who did documentation.

There is a pretty good roundup on wireless security at pauldotcom, covering Wifi, Bluetooth and RFID. The slides give a pretty good overview on various topics and are a great entrance point for wireless hacking.

The final 2.0 version of the popular penetration testing live Linux distribution BackTrack has been released.

There is a new Bluetooth Standard to be released. Bluetooth Core 2.1 + EDR has some major changes including changes in the pairing process. The changes made are called “Secure Simple Pairing”.

Secure, because they improved the key exchange, in response to the recent attacks on the Pairing Process. Diffie Hellman Elliptic Curves are used to make the key exchange more secure. There is a whitepaper on Secure Simple Pairing around and of course the draft for the upcoming release of the specification, but unfortunately not available for the regular user. You have to be a member of the SIG to get these documents (just get yourself an account).

Simple, because in the simplest scenario the user has nothing more to do to pair two devices, than to get them into a specific physically range. There is no other interaction needed by the user, like the input of a PIN. That makes the life of the casual Bluetooth user much easier. In this scenario a technology called Near Field Communication (NFC) is used. NFC is a very, very short-range wireless technology where the devices are only able to communicate when they are very close to each other, like for example 10cm. In the case of Bluetooth, NFC is only used as some kind of “door opener” for the connection of the devices. Only the initial pairing is done over NFC. The real data transfer is handled with Bluetooth. First NFC mobiles have been presented at CES this year from Nokia and Sagem.

There is a nice little interview at gearlive.com with Mike Foley, the head of the Bluetooth SIG. They are showing some features of the new specification with some prototype devices and give an impression on how pairing is going to be done in the future.

Now, talking about security of the Bluetooth 2.1 devices….
When Mike Foley sends a picture from the camera to the picture frame or to the printer he seemed just to get into a certain physical distance and then the pictured gets transfered to the other device. There is no interaction needed by the user for the transfer. Just bring the two devices together and everything is done. The security we have here is just the limited physical distance between the two devices. But is this security? Come on! Ever heard of beam antennas? I am pretty sure that you can extend the range of NFC to more than 10cm. Pretty cool when you have preeeety strange pictures on your trendy Bluetooth 2.1 picture frame, aight?

Update: It is not that easy with NFC. NFC is based on RFID and therefore the extension of range is more difficult. NFC and RFID are using mutual inductance coupling. Even there were some successful experiments on eavesdropping such connections it is not as easy as in WiFi or Bluetooth connections.

At least Mike had to confirm the pairing of the headphone, so there is hope that manufactures think about implementing a “Press to confirm” button. This might be less user friendly but more secure.
Anyway, this just would be an implementation issue. I think the upcoming specification has some pretty good improvements in security with Diffie Hellman key exchange and simplicity with several pairing scenarios which might make life easier.