Interesting People mailing list archives
Latest Bluetooth attack makes short work of weak passwords
From: David Farber <dave () farber net>
Date: Sun, 12 Jun 2005 17:53:38 -0400
Begin forwarded message: From: Monty Solomon <monty () roscom com> Date: June 12, 2005 3:00:33 PM EDT To: undisclosed-recipient:; Subject: Latest Bluetooth attack makes short work of weak passwords Latest Bluetooth attack makes short work of weak passwords Robert Lemos, SecurityFocus 2005-06-08 Phones, PCs and mobile devices that use the wireless Bluetooth standard for short-range communications are open to eavesdropping attacks if their users do not set long passwords, researchers said this week. The two-step attack can cause two devices to reestablish the link between them, a process known as "pairing," and then use the data exchanged during pairing to guess the password that secures the connection in well under a second. A successful attack could allow an attacker to eavesdrop and potentially issue commands to the other device, said Avishai Wool, assistant professor of electrical engineering at Tel Aviv University in Israel and a co-author of the paper. "At a minimum, it allows the attacker to eavesdrop on all the subsequent encrypted communication between two Bluetooth devices," Wool said in an e-mail interview. "If the attacker can also fake his own Bluetooth device address, he can potentially pretend to be one device and pair with the other, which may allow him to issue commands." The attacker could conceivable mimic any other supported Bluetooth device, such as a headset for a phone, he said. If the one device could extract personal data from or issue commands to the other, then so could the attacker. The paper, which was presented at the MobiSys 2005 conference on Monday, caused a stir among security experts because the technique is the first general purpose attack to threaten Bluetooth devices. Past attacks only worked against devices that improperly implemented Bluetooth or under special circumstances. The Bluetooth Special Interest Group (SIG), the organization that sets the specifications for the standard, placed the latest attack in the latter category, because devices that have longer, alphanumeric PINs are effectively protected against the technique. ... http://www.securityfocus.com/news/11202 http://www.eng.tau.ac.il/~yash/Bluetooth/ ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Latest Bluetooth attack makes short work of weak passwords David Farber (Jun 12)