Hacking Bluetooth Devices...

Cryptographers have discovered a way to hack Bluetooth-enabled devices even when security features are switched on. The discovery may make it even easier for hackers to eavesdrop on conversations and charge their own calls to someone else’s cellphone.

Bluetooth is a protocol that allows different devices including phones, laptops, headsets and printers to communicate wirelessly over short ranges - typically between 10 and 100 metres.

Over the past few years security experts have devised many ways of hacking into Bluetooth communications, but most require the Bluetooth security features to be switched off.

In April 2004, UK-based Ollie Whitehouse, at that time working for security firm @Stake, showed that even Bluetooth devices in secure mode could be attacked. His method allowed someone to hijack the phone, giving them the power to make calls as if it were in their own hands.

Pairing up

But this technique did not pose a serious risk because it could be performed only if the hacker happened to catch two Bluetooth devices just before their first communication, during a process known as "pairing".

Before two Bluetooth devices can communicate they must establish a secret key via this pairing process. But as long as the two devices paired up in a private place there was no risk of attack, explains Chris McNab of the UK security firm TrustMatta.

Now Avishai Wool and Yaniv Shaked of Tel Aviv University in Israel have worked out how to force devices to pair whenever they want. "Our attack makes it possible to crack every communication between two Bluetooth devices, and not only if it is the first communication between those devices," says Shaked.

"Pairing allows you to seize control," says Bruce Schneier, a security expert based in Mountain View, California. "You can sit on the train and make phone calls on someone else’s phone."

Sniffing the airwaves

During pairing, two Bluetooth devices establish the 128-bit secret "link key" that they then store and use to encrypt all further communication. The first step requires the legitimate users to type the same secret, four-digit PIN into both devices. The two devices then use this PIN in a complex process to arrive at the common link key.

Whitehouse showed in 2004 that a hacker could arrive at this link key without knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can record the exchanged messages being used to derive the link key and feed the recordings to software that knows the Bluetooth algorithms and can cycle through all 10,000 possibilities of the PIN. Once a hacker knows the link keys, Whitehouse reasoned they could hijack the device.

But pairing only occurs the first time two devices communicate. Wool and Shaked have managed to force pairing by pretending to be one of the two devices and sending a message to the other claiming to have forgotten the link key. This prompts the other device to discard the link key and the two then begin a new pairing session, which the hacker can then use.

Surprisingly easy

In order to send a "forget" message, the hacker must simply spoof one of the devices personal IDs, which can be done because all Bluetooth devices broadcast this automatically to any Bluetooth device within range.

"Having it done so easily is surprising," says Schneier. He is also impressed by the fact that Wool and Shaked have actually implemented Whitehouse’s idea in real devices.

They show that once an attacker has forced two devices to pair, they can work out the link key in just 0.06 seconds on a Pentium IV-enabled computer, and 0.3 seconds on a Pentium-III. "This is not just a theoretical break, it’s practical," says Schneier.

Shaked and Wool will present their findings at the MobiSys conference next Monday in Seattle, Washington, US.

Is String Theory wrong?

The trouble with physics, Lee Smolin claims, is that it has made remarkably little real progress in the last 30 years. Given that we constantly hear of major new breakthroughs on the road to an ultimate theory of everything, this may sound like the carping of a crank. But Smolin is a leading player in theoretical physics, known to the wider reading public through two previous outstanding books. He has to be taken seriously, and his assessment is a grim one.

In the 1970s, Smolin explains, physicists perfected the so-called 'standard model' which explains how particles called quarks and leptons combine to form the familiar atoms of matter. The theory was triumphantly vindicated in particle accelerator experiments, but the one force still left unexplained was gravity. What has been going on since then has been a worldwide attempt to explain how quantum particles make things fall down.

The search led to conjectures that our universe has more dimensions than three, and that matter might really be made of tiny 'superstrings'. But as Smolin emphasises, these remain conjectures. Despite acres of overheated coverage that has appeared in popular science magazines and documentaries, there remains not one shred of hard physical evidence for superstrings, supersymmetry, extra dimensions, parallel realities and all the other wonders that feed science fiction with an endless supply of useful jargon.

Nevertheless, superstring theory has taken over as the number one research topic for physicists around the world. Smolin says that if you want to get a job in a university theoretical physics department, you have to work on superstrings or its even more hypothetical successor, 'M theory'. The picture he paints will be of interest to academics in other fields who have seen similar takeovers by modish theories. In Harvard it became fashionable to speak of 'postmodern physics', with 'mathematical beauty' considered the essential mark of validity in the absence of anything more concrete.

The downside of Smolin's book is the amount of time he takes explaining details of a theory in which from the outset he expresses doubts, lessening the reader's willingness to unpick the technical minutiae. Anyone who has struggled with more optimistic accounts of string theory written by true believers will have a hard time here.

More interesting to a general audience is Smolin's account of possible alternatives to string theory, which a few brave souls (Smolin included) are pursuing in the academic wilderness while all the big research grants go to the string people. He offers sensible advice on how the system might be improved so that young researchers are less dependent on the patronage and approval of older scientists eager to see their own ideas vindicated. Einstein had trouble finding a job one hundred years ago - Smolin says he would have an equally hard time now, since the dominance of string theory favours virtuoso problem solvers rather than deep thinkers.

Recently, though, it seems that even the string theorists have begun to have doubts, having managed to find more potential 'theories of everything' than there are atoms in the universe, with no way of choosing which one might be right. History may look back on string theory as an intellectual triumph or a 30-year mistake. Only time will tell.