Bluetooth needs long PINS for security

Users have been told to use longer PINs to repell a Bluetooth hack

Bluetooth, the wireless connection used on PDAs and phones, is not safe unless you use an eight-digit PIN number to secure devices, users have been warning.

The Bluetooth Special Interest Group has told users to set eight-digit PINs when pairing two devices, and take other precautions, after a report described a way for hackers to crack the security codes on Bluetooth devices and seize control of them.

For security, Bluetooth devices will not communicate until they have 'paired' -- a one-off process in which both devices must enter the same PIN number. A hacker that listens in on the pairing process can decode the PIN, and then take control of the link, siphon off data or, potentially, take control of either of the devices.

Because Bluetooth has a short range, and pairing is a one-off process between any two devices, most users were considered safe -- until a fiendish extension of the attack was described this month by Yaniv Shaked and Avishai Wool of Tel Aviv University in Israel.

The new attack can force two Bluetooth devices to come 'un-paired'. When the user pairs them again, the hacker can listen to the pairing process and crack the PIN, warn the researchers.

The simplest way to force Bluetooth devices to re-pair is to send a message that purports to come from one of them, claiming to have lost the key. Three ways to force re-pairing are described in "Cracking the Bluetooth PIN", presented by Avishai Wool and Yaniv Shaked of Tel Aviv University, at the Mobisys conference in Seattle.

The Bluetooth SIG’s advice echoes that of Wool and Shaked -- don’t re-pair in a public place, where someone else might eavesdrop, and use a longer PIN.

"When you pair devices for the first time, do this in private -- at home or in the office," advises the SIG. "If your devices become unpaired while you are in public, wait until you are in a private, secure location before repairing your devices, if possible."

"Always use an eight character alphanumeric PIN code as the minimum," says the SIG. "You only have to enter this once, so [a longer code] is not a hardship given the security benefits."

The SIG agrees with the researchers that a PC can crack a four digit code in a tenth of a second but reckons an eight digit PIN would take 100 years, "making this crack nearly impossible". Some devices, such as headsets, include a factory-set four-digit PIN, but most devices like phones allow users to set the PIN they want.

The SIG is also at pains to assure users that the hack is only an academic paper at present. "The equipment needed for this process is very expensive and primarily used by developers only," says its advice. "It is highly unlikely that a normal user would ever encounter such an attack."

As ever, knowledge is important. "The attack also relies on a degree of user gullibility, so understanding the Bluetooth pairing process is an important defence," said the SIG.