On Wed, Oct 06, 2004 at 10:04:43AM -0700, Allen Brown wrote: > If two folks want to share addresses they then make their > phones discoverable? That was probably the weakness that > I heard about. Folks naturally forget to take the phone > out of that mode afterwards. (And in any case, they are > vulnerable during the transfer.)
Then you are at the mercy of your device's implementation not to have screwed it up, I agree that is a potential problem if your device maker can't be bothered to see to it that your bluetooth stack is secure (or that the user can't be bothered to upgrade to secure firmware after an exploit is found and patched--which is far more of a problem..) > I don't own a cellphone. Or a wireless phone. And my PDA > doesn't have bluetooth. It is only high-end devices that do, on all fronts. It's a nice feature, but it comes at a premium. > Always closed? Bluetooth networks are only as secure as the > weakest node on the network. How secure are Bluetooth > headphones. Notice that they have no keyboard to enter a PIN. Ahh, but that's untrue! Bluetooth networks aren't actually networks--they are point to point pairings. If I had a headset that knew about my phone, and my phone knew about my PDA, my headset cannot access my PDA. Also, a headset cannot receive a pairing request--it can only make one. And only then when you tell it to, physically, usually by pushing a button. The PIN is provided to you printed on a sticker stuck to the manual, most often. Better headsets have a little link cable and a software utility which can be used to set the PIN. Headsets and keyboards are different from PDAs and phones in that they can only be paired with one device at a time, though many devices can be paired with them. I don't know if I'd trust that to be enough--the risk of people hearing my conversations or reading my typed passwords is enough to keep me away from these devices. For dialing my phone or sending a text message to my sister, that's another matter entirely. > I remember reading a Bluetooth white paper several years ago > (before the protocol hit the streets) that talked about linked > Bluetooth networks. If any products implemented that feature > then you pretty much have to assume you are on the open WWW net > at all times. A device paired with a cell phone that has a GPRS link will have access to that GPRS link. That is the most common exploit, actually. It differs from using an open wifi network in that the cost of GPRS is often by the kilobyte. It's why I don't have GPRS, and why only my PDA is paired with my phone. Nobody is accessing my phone but me. Of course, if I lost my PDA someone else could use my phone through it, but the same is true if I'd lost my phone. > And good habits. But the implementation can require more > discipline or less. Seems like Bluetooth requires more. More > than most people have. The leaving devices undiscoverable isn't a discipline to protect security anymore than not putting your email address on a website is spam prevention. It's just a way of thwarting a common tool used by the undesirable. The correct approach is to keep an eye out for security advisories regarding your device and to expect (demand!) and apply security patches when they are made available. You say that this is a discipline people don't have, and I agree. Look at all of the unpatched and unprotected win32 machines out there. Of course, look at all of the redhat 7 boxes out there running needlessly vulnerable software... The problem here is not the protocol nor even the majority of implementations. No, the problem lies with lazy people who can't be bothered to protect themselves. _______________________________________________ EUGLUG mailing list [EMAIL PROTECTED] http://www.euglug.org/mailman/listinfo/euglug
