[ISN] Bluetooth may leave PDAs wide open

From: InfoSec News (isnat_private)
Date: Mon Oct 14 2002 - 00:11:38 PDT

  • Next message: InfoSec News: "[ISN] Detecting Cyberattacks By Profiling "Normal" Computer Habits"

    Thursday 10th October 2002
    Peter Judge   
    RSA 2002: If you have Bluetooth, make sure security is enabled, or
    others might snoop your contacts or even make calls from your phone
    Bluetooth-enabled phones and PDAs may have a gaping security gap,
    which could allow other people to read data such as personal contacts
    and appointments, and even make phone calls using the owner's
    identity. Some of these devices are shipped with the security features
    in Bluetooth disabled, allowing other Bluetooth devices access,
    according to RSA Security.
    "I have stood at the RSA booth in conferences, with my phone paging
    for other devices, and watched other people's devices show up," said
    Magnus Nystrom, technical director of RSA Security. Many devices
    simply allowed access without demanding a "pairing" code, said
    Nystrom, and would have allowed him to examine the personal data of
    passers-by, or even to make calls with their phones.
    Such phone calls (which might flippantly be described as warphoning)  
    would be a serious breach. Not only could they add vastly to the
    victims phone bill, they could also allow the attacker to impersonate
    the victim. Using phone numbers from the victim's database, he could
    call people or businesses known to the victim, who might accept the
    call as genuine since it would come from the victim's own phone.
    "That's scary," said Peter Laakkonen, principal at SecVen, a US-based
    security strategy advisor, and a speaker at the RSA Conference in
    Paris. "If people don't realise they have Bluetooth, they may be
    unaware of the possibility of this weakness. Other people could be
    impersonating them without their knowledge."
    Most Bluetooth-enabled devices -- particularly those from leading
    brands -- appear to ship with security enabled. This includes all
    devices from Palm, iPaq, Ericsson and Nokia that have arrived in the
    ZDNet UK offices for review.
    Work is underway to improve both authentication and encryption over
    Bluetooth links, according to Nystrom, who is concerned about
    weaknesses in Bluetooth, even when security is enabled.
    Bluetooth, conceived as a cable replacement technology for linking
    devices within the user's field of view, was designed with a limited
    amount of security, but even the basic standard contains enough
    security features to eliminate this threat. Under Bluetooth's security
    specification, before two devices pair, the same code number must be
    entered into both of them.
    Within phones, features such as address books and phone are set up as
    different services. Business card exchange is usually set up with no
    security, as this is data that you want public, but other services are
    not accessible from this one.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 03:09:25 PDT