Bluetooth may leave PDAs wide open

[InfoSec News <isn () c4i org>]

http://news.zdnet.co.uk/story/0,,t460-s2123677,00.html

Thursday 10th October 2002
Peter Judge   

RSA 2002: If you have Bluetooth, make sure security is enabled, or
others might snoop your contacts or even make calls from your phone

Bluetooth-enabled phones and PDAs may have a gaping security gap,
which could allow other people to read data such as personal contacts
and appointments, and even make phone calls using the owner's
identity. Some of these devices are shipped with the security features
in Bluetooth disabled, allowing other Bluetooth devices access,
according to RSA Security.

"I have stood at the RSA booth in conferences, with my phone paging
for other devices, and watched other people's devices show up," said
Magnus Nystrom, technical director of RSA Security. Many devices
simply allowed access without demanding a "pairing" code, said
Nystrom, and would have allowed him to examine the personal data of
passers-by, or even to make calls with their phones.

Such phone calls (which might flippantly be described as warphoning)  
would be a serious breach. Not only could they add vastly to the
victims phone bill, they could also allow the attacker to impersonate
the victim. Using phone numbers from the victim's database, he could
call people or businesses known to the victim, who might accept the
call as genuine since it would come from the victim's own phone.

"That's scary," said Peter Laakkonen, principal at SecVen, a US-based
security strategy advisor, and a speaker at the RSA Conference in
Paris. "If people don't realise they have Bluetooth, they may be
unaware of the possibility of this weakness. Other people could be
impersonating them without their knowledge."

Most Bluetooth-enabled devices -- particularly those from leading
brands -- appear to ship with security enabled. This includes all
devices from Palm, iPaq, Ericsson and Nokia that have arrived in the
ZDNet UK offices for review.

Work is underway to improve both authentication and encryption over
Bluetooth links, according to Nystrom, who is concerned about
weaknesses in Bluetooth, even when security is enabled.

Bluetooth, conceived as a cable replacement technology for linking
devices within the user's field of view, was designed with a limited
amount of security, but even the basic standard contains enough
security features to eliminate this threat. Under Bluetooth's security
specification, before two devices pair, the same code number must be
entered into both of them.

Within phones, features such as address books and phone are set up as
different services. Business card exchange is usually set up with no
security, as this is data that you want public, but other services are
not accessible from this one.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.