Information Technology Reference
Security on wireless channels
Bluetooth can be considered quite safe, but it still shows some specific
weaknesses in security. First, it is plausible stealing the keys of the
key ring and the encryption keys, thus having the opportunity to 'spy'
(eavesdropping) and to impersonate the victim device. Another form of
Bluetooth attack has highlighted that the benefits of technology may
become disadvantageous for safety. In fact, many Bluetooth devices can
record the movements of another device that uses the same technology,
without the owner being aware of it.
7.1.1 Eavesdropping and impersonation
The theft of the keys can be done passively eavesdropping traffic, partici-
pating actively in a broadcast or carrying a 'man-in-the-middle' attack .
In the first case, the attacker 'guesses' all the PINs of a given length, and
the accuracy of each PIN is verified by conducting the second operation of
the initialization protocol. This verification is based on assumptions of the
attacker and on random strings that are exchanged between the devices. Note
that this type of attack is done offline and that the attacker receives the data in
an entirely passive manner. The PIN length can vary between 8 and 128 bits,
but in most cases a common format of 16 bits (4 digits decimal) is used.
Also, if there is no PIN available, a default value of zero is used. This makes
the PIN Crunching immediate .
Active theft needs to be made on the first initialization step of the
protocol, dedicated to key generation, performed using a PIN (to guess). The
second step of the protocol is carried out with the victim device, with which
the attacker has done the first step of the challenge-response protocol. If
the conjecture that the PIN is correct then the victim will give an answer
like 'Correct'. If the PIN is not guessed, then the attacker can obtain the
challenge-response script that can be used offline to try all PINs that the
attacker would try.
In detail a key is calculated for each initialization PIN, then the key
verification algorithm and the obtained script are tested on the victim. At this
point when the algorithm displays 'Correct', the attacker has obtained the PIN
of the device belonging to the victim. Using the method of active theft the
attacker has more time for the off-line PIN-Crunching. After the key initializa-
tion has been obtained, all other keys are accessible to the attacker .
In the third case, the attacker assumes the identity of the two devices that
communicate each other, using a type of man-in-the-middle attack. If the
attacker is in possession of the key link for the two external devices, then the