Bluetooth Digital Free Love
By Niall McKay, Tue Aug 13 00:00:00 GMT 2002
It might be the age of paranoia but digital devices using Bluetooth are about to enter the age of free love. But will it be safe?
We are entering the age of digital free
love when computing devices will be able to talk, transfer files and
even run applications and services on each other. The glue that will tie
all this networked bliss together is Bluetooth - a short-range wireless
technology originally designed for consumer electronics devices such as
TVs, home stereo systems and telephone headsets. With Bluetooth, the
idea goes, one can eliminate all those troublesome wires in the home.
However, the proliferation of digital devices such as cameras,
PDAs, MP3 music players, laptop computers, photo-printers in both the
home and office means that the technology maybe be used in environments
for which is was not really designed. Indeed it seems that many
digerati, having got a taste for wireless from 802.11 and advanced
cellular networks, want to banish copper wire forever. Except for power.
So Bluetooth, like many technologies before it, is being pitched as the
cure-all for the digital-ills of the world.
Of course, like
free love (and cure ails for that matter) all this wireless promiscuity
is a great fantasy but often a problematic reality. At issue, is the
difficulty of getting these devices to work smoothly and securely
together. Anybody, who has tried to enable WEP on a home or office
802.11 network will know what I am talking about. Also like free-love
getting two devices together is called coupling or paring or bonding.
Frankly, if the coupling becomes too difficult to do securely then it’s
likely that the parties will throw caution to the wind and take risks.
“The initial set-up is the main weakness of with the
technology,” says Mike Sullivan VP of Business Development for Bluesoft
Inc. a Bluetooth security vendor. “If you have to start messing with it
then you’re probably going to give up and just use it in un-secure
But who cares? Surely, Bluetooth has yet to make its way
into the mainstream market. Right? Wrong. Despite the technology’s
apparently slow start it is beginning to make some progress.
Coming of Age
In fact, the research firm
IDC recently reported the Bluetooth will come of age next year and that
revenue will grow from a $76.6 million in 2001 to $2.6 billion in 2006.
The Gartner Group is even more bullish predicting that by 2004 forty
percent of all electronic trading will be done using a hand-held
terminals and Bluetooth will be one of the key enabling
Indeed, it’s difficult to find a technology vendor
who is not building Bluetooth support into their product line. Already
Sony is providing Bluetooth in laptops, phones, and video cameras in the
Japanese market. Cell-phone manufactures have started shipping wireless
headsets that connect to a phone or PDA in your pocket or bag over
Bluetooth and Apple Computer is making Bluetooth an integral part of its
iPod music player so when the user enters their home it will do the
equivalent of shouting "hi honey I'm home" and connect to
the speakers and synchronize with you PC.
Bluetooth is being touted as one of the key technologies used in
telematics or in-car computer control systems. Later this year
Chrysler's will release its UConnect Bluetooth hands-free car kit
and healthcare technology provider CodeBlue Communications is building
Bluetooth-based hospital patient data-management applications, patient
life data monitors, and telemedicine emergency devices. So what’s
the problem? Well the technical specification has few security
weaknesses, according to Ollie Whitehouse, Director of Security
Architecture at the security consultancy @Stake. Although @Stake did
find one. With Bluetooth the user is able to choose if other Bluetooth
device holders can see their device. However, Whitehouse was able to
over ride this function by with a brute force attack.
from that it’s pretty secure,” says Whitehouse. “But the problem is not
with the specification but with applications vendors implementation of
Patrick Connolly CTO of Rococo Software a
company that provides tools for building Bluetooth applications agrees.
The problem is that the Bluetooth Special Interest Group (the
organization that developed the specification) does not define the
Application Programming Interface (as with Sun and Java), it just
defines the protocol stack.” While this is a deliberate move because it
makes certain aspect of programming easier, it also makes it easier for
application developers and hardware providers to make errors.
Whitehouse, for example, discovered a number of security flaws
(mostly insignificant and now fixed) with Red-M's Bluetooth
wireless access point. One flaw, for example, allowed insiders create a
backdoor into the product.
While it’s likely that those darling
hackers (good or bad) will discover a number of flaws with Bluetooth
it’s safe to say that the Bluetooth SIG have certainly taken a lot more
trouble to secure the technology that their WiFi or 802.11 collogues.
Basically, there are three levels of security.
Your device is a rake and will talk anyone in the vicinity.
Secure. Or Service-level enforced. Where your device does not
initiate before a channel is opened between the two devices.
Very secure. Where a connection will not be made until both
device users have been identified.
Then there are trusted
devices such as your own PDA and laptop computer and untrusted devices
such as the cash register in a bar in the shady part of town.
Most Bluetooth users will be using the second secure mode. So,
to initiate a secure session you first have to find a quiet spot, in
much the same way you would if you wanted to have a private
conversation with a friend or colleague. That way you can be sure that
nobody is overhearing your digital conversation. Once you find a quiet
spot there the devices go through three stages.
the devices create a shared link encryption key, authentication, where
each uses taps in their personal identification number, and encryption
where the device information is coded so that even if there is an
eavesdropper in the vicinity they could not understand the conversation.
Furthermore, the channel jumps around the allocated spectrum, which
makes it more secure.
Most of the weaknesses will stem from the
usability of the model. First of all, if the technology industry is
anything each vendor will come out with some added security features
thus rendering a secure mode between two different vendors products
impossible. I for example could not connect my Sony phone with a Nokia
device because of different implementations of the same standard.
Secondly, chances are that all the tapping in of PINs will be
bothersome to many users. Thirdly, while each device will have a unique
address. Say you attend a communications conference and the world’s top
1,000 software geniuses are there. How many Mr. Sing’s Nokia will you
find? Furthermore, the chances are that a lot of people will use really
stupid PINs such as 1234 or Bill Gates is a … That is why BlueSoft
Inc. a Silicon Valley vendor produced its own Bluetooth security
technology. The product uses the Diffie-Hellman public key encryption
mechanism so that each user can be identified.
“That way the
security relies on what I have (device), what I know (my public key
encryption password, and who I am (because the public key is held by a
However, according to a report
published by Juha T. Vainio with the Department of Computer Science and
Engineering Helsinki University of Technology Bluetooth is not quite
ready for prime time. “It seems that the security of Bluetooth is still
inadequate for any serious, security sensitive work. After the basic
problems have been corrected, the more sophisticated security methods
may be implemented on the upper levels. The security specification only
considers simple issues and the more functional security has to be built
above it. The secure routing protocols for larger ad hoc networks must
also be implemented separately.”
Indeed, many believe that
that in order to make Bluetooth really secure, for say, banking
applications some sort of Biometric verification will need to be added
at the application layer.
Seamus McAteer, principal analyst
with the Zelos Group says that security is less concern if you are
simply sharing music and photos with your buddies. “But you don't
want your car to be hacked,” he says. “That’s a Spielberg movie waiting
Niall McKay is a freelance
journalist based in Silicon Valley. He can be reached at www.niall.org