Research Shows Bluetooth Can Be Hacked In Milliseconds

Yaniv Shaked and Avishai Wool of Tel Aviv University have been able to compromise Bluetooth devices in as little as 0.06 seconds -- nearly real time -- by first forcing two to "pair," the term used when two Bluetooth gizmos first communicate, and establish a security key for future wireless transmission, then cracking the four-digit PIN that's default in most devices.

Bluetooth, a short-range wireless protocol for synchronizing mobile phones with PC, for wireless computer keyboards, and for PDAs sharing data, has been the target of hackers -- the Cabir worm is the best known malware that uses Bluetooth -- but until now all attacks have been conducted on hardware without security enabled.

In the exploit demonstrated by Shaked and Wool, a Bluetooth device pretends to have been paired with another previously, but has "forgotten" the link key. This begins a new pairing session, from which hackers could snatch the key, then crack it in nothing flat. With the cracked key in hand, an attacker could monitor all data sent by the compromised device, or even hijack it for his own use to, for instance, make calls that are charged to the hacked Bluetooth phone.

"At first glance, this attack isn't a big deal," wrote security researcher Bruce Schneier on his blog. "It only works if you can eavesdrop on the pairing process. Pairing is something that occurs rarely, and generally in the safety of your home or office. But the authors have figured out how to force a pair of Bluetooth devices to repeat the pairing process, allowing them to eavesdrop on it."

Shaked and Wool presented their paper, "Cracking the Bluetooth PIN," at the MobiSys conference Monday, in Seattle. Excerpts from that research were also summarized here.