Group: Secure Bluetooth with long PINs

Bluetooth, the wireless connection used on PDAs and phones, is not safe unless you use an eight-digit PIN to secure devices, an industry group has warned.

The Bluetooth Special Interest Group has told people to set eight-digit PINs when pairing two devices and to take other precautions, after a report described a way for hackers to crack the security codes on Bluetooth devices and seize control of them.

For security, Bluetooth devices will not communicate until they have "paired"--a one-off process in which both devices must enter the same PIN, or personal identification number. A hacker that listens in on the pairing process can decode the PIN and then take control of the link, siphon off data or, potentially, take control of either of the devices.

Because Bluetooth has a short range, and pairing is a one-off process between any two devices, most users were considered safe--until an extension of the attack was described this month by Yaniv Shaked and Avishai Wool of Tel Aviv University in Israel.

The new attack can force two Bluetooth devices to come "unpaired," the researchers said. When the user pairs them again, the hacker can listen to the pairing process and crack the PIN.

The simplest way to force Bluetooth devices to re-pair is to send a message that purports to come from one of them, claiming to have lost the key. Three ways to force re-pairing are described in "Cracking the Bluetooth PIN", presented by Avishai Wool and Yaniv Shaked of Tel Aviv University, at the Mobisys conference in Seattle.

The Bluetooth SIG's advice echoes that of Wool and Shaked--don't re-pair in a public place, where someone else might eavesdrop, and use a longer PIN.

"When you pair devices for the first time, do this in private--at home or in the office," the SIG advised in a statement last week. "If your devices become unpaired while you are in public, wait until you are in a private, secure location before re-pairing your devices, if possible."

"Always use an eight character alphanumeric PIN code as the minimum," the SIG said. "You only have to enter this once, so (a longer code) is not a hardship given the security benefits."

The group agrees with the researchers that a PC can crack a four-digit code in a tenth of a second, but reckons an eight-digit PIN would take 100 years to break, making this crack "nearly impossible." Some devices, such as headsets, include a factory-set four-digit PIN, but most devices like phones allow users to set the PIN they want.

The SIG is also at pains to assure people that the hack is only an academic paper at present. "The equipment needed for this process is very expensive and primarily used by developers only," its advice reads. "It is highly unlikely that a normal user would ever encounter such an attack."

As ever, knowledge is important. "The attack also relies on a degree of user gullibility, so understanding the Bluetooth pairing process is an important defense," the SIG said.

Peter Judge of ZDNet UK reported from London.