In-Depth

In Brief

Bluetooth Attack Compromises PINs, New Smart Phone Malware, Charting the E-mail Security Market

• By Mathew Schwartz
• 06/15/2005

Bluetooth Attack Bypasses PINs

Think your Bluetooth device is safe? Turns out attackers can crack shorter Bluetooth PIN codes in milliseconds by using a second-hand PC. So say Yaniv Shaked and Avishai Wool, security researchers from Tel Aviv University, who recently presented their Bluetooth security research at the MobiSys 2005 UseNix conference in Seattle.

Shaked and Wool note their research paper, “Cracking the Bluetooth PIN,” describes “a passive attack, in which an attacker can find the PIN used during the pairing process.” As the attack is passive, the Bluetooth user might not know he or she is being attacked.

To discover the vulnerability, the researchers first “wrote a special-purpose Bluetooth security suite from scratch” to investigate how to crack the SAFER+ cipher used to secure Bluetooth. They devised three methods for cracking it. The most efficient of those uses an algebraic representation of SAFER+ and can crack a four-digit PIN “in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.”

For this attack to be effective, attackers have two options. The first is to eavesdrop during an entire device-pairing process, which isn’t completely practical, since devices are often paired once then used without re-pairing. Using the second option, however, attackers can trick a device into forcibly re-pairing itself, then eavesdrop on the transaction.

For the latter attack to succeed, a user has to re-enter their PIN. More astute users, say the researchers, might recognize this as an attack. The majority, however, probably would not.

What can Bluetooth users do to defend themselves against the documented vulnerabilities? “Since Bluetooth is a wireless technology, it is very difficult to avoid Bluetooth signals from leaking outside the desired boundaries,” note the researchers. “Therefore, one should follow the recommendation in the Bluetooth standard and refrain from entering the PIN into the Bluetooth device for pairing as much as possible. This reduces the risk of an attacker eavesdropping on the pairing process and finding the PIN used.”

In addition, they recommend users set their Bluetooth device to save link keys—produced when the device pairs with another, to authenticate it in the future—in memory, as opposed to setting it to require a PIN whenever they want to communicate with a device to which they’ve previously communicated. That’s because the latter mode “gives a false sense of security,” they say, since transmitting the PIN gives an attacker increased opportunities to eavesdrop and get information needed to crack that PIN.

Researchers also recommend using much longer PINs. Unfortunately, however, “most manufacturers use a four-digit PIN and supply it with the device.” Given the insecurity this creates, “obviously, customers should demand the ability to use longer PINs.”

New Malware Fakes AV Origins

Antivirus software provider F-Secure warns a new piece of malware claims it’s smart phone antivirus software from F-Secure. It’s actually malware known as Skulls.L, which runs on the Symbian operating system used on many mobile phones.

Running Skulls “breaks the system applications on the phone,” notes F-Secure, meaning “smart phone functions don’t work as long as the phone is infected.”

How can users tell the difference between the real and fake software? F-Secure says its software is Symbian-signed, meaning when installing legitimate software, the user won’t get a warning that the signature for the software package is missing. If such a warning does appear, F-Secure advises aborting the installation.

Charting the E-mail Security Market

E-mail is getting more security attention. According to a recent survey of information security professionals, two-thirds plan on purchasing an e-mail security product in the next two years. When purchasing a device, reliability is the top concern, and the chief goals are stopping e-mail-borne viruses and spam.

The research comes from In-Stat, which predicts the e-mail security market will grow to $3.7 billion by 2009. That’s because “while e-mail has made conducting day-to-day business easier, its prevalence has introduced an abundance of threats to the corporate network. In addition, government regulations have given companies strong incentives to ensure that corporate mail systems are stable and secure.”

To help, says In-Stat, companies “are looking for e-mail security products that combine multiple e-mail security and management functions.” Thirty percent of companies, however, haven’t yet decided whether to go the appliance, software, or hosted-service route to get it.

Related Articles:

Taming Smart Phones
http://www.esj.com/security/article.aspx?EditorialsID=1330

How to Stop Bluetooth Insecurities
http://www.esj.com/security/article.aspx?EditorialsID=775