Bluetooth Untangled

Continued from page 1

By Simson Garfinkel

March 26, 2003

Most Bluetooth devices get around the first problem with a special "discovery" procedure. Because Bluetooth has an effective range of about 30 feet, you can put your two Bluetooth devices on a table in a big room. If you can be reasonably sure that there are no other Bluetooth devices around, you then wirelessly associate the two devices, optionally typing a common password on both. The devices then learn each other's Bluetooth Device Address. After that, they can refer to each other by name.

Here's how it works: when I wanted to sync my Tungsten to my laptop, I turned on the Tungsten, clicked to the HotSync application, and told it that I wanted to set up a Bluetooth connection. My laptop's name appeared on the screen. I selected the Laptop and clicked "sync." On the laptop's screen I got a message saying that a particular Tungsten device wanted to sync; was this okay? I clicked "yes." Total time to set it up: about two minutes.

Once the wireless connection was set, I found that I could sync my Tungsten with my laptop as long as the two devices were in the same room. Pretty cool! Unfortunately, I can't figure out how to make the Tungsten automatically sync when I walk into the same room, but hopefully that's only a matter of time.

To send files between my two laptops, the process was pretty much the same. The first time through, I had to associate the two machines. After that, I could just click "Send File" from Apple's Bluetooth File Exchange program. A question appeared on the receiving computer asking whether it was okay to receive the transmission.

As Ericsson's orphaned headset demonstrated, Bluetooth is great-when you have enough devices. So the good news is Bluetooth is beginning to show up everywhere. HP's new mobile printer comes with a built-in Bluetooth radio, allowing you to print from a laptop or PDA without a cable. Bluetooth connects new GSM cell phones to wireless headsets (now just $89) and Bluetooth-enabled laptops, to serve as a wireless modem. In fact, just as I would no longer buy a laptop without Wi-Fi built-in, I also wouldn't buy one lacking Bluetooth.

So what about security? The short answer is don't Bluetooth those war plans. Back in May 2000, Juha T. Vainio at the Helsinki University of Technology evaluated Bluetooth's cryptography and other security parameters. Although the Bluetooth system provides limited encryption, it relies on custom protocols rather than established ones that had already been subject to attack. If this story sounds familiar, it's because the Wi-Fi folks did it too.  As a result, security holes were discovered only after the standard was built into millions of consumer devices.

I'm not saying that Bluetooth is not secure, but I wouldn't trust it with anything confidential. One of the points made by Vainio is that many Bluetooth devices will base their security entirely on a 4-digit PIN code. Even worse: it's estimated that 50% of all Bluetooth devices will use a default PIN of "0000."

Bluetooth's security comes largely from the fact that it is low-power, and thus low-range. If you use a Bluetooth keyboard, a military intelligence official with expensive equipment could probably eavesdrop on your keystrokes from across the street. But for most applications, you're probably safe. Likewise, if you use a Bluetooth connection from your laptop to your cell phone to go online and do e-banking, most of the security will be handled by the cryptographic connection between the Web server and your Web browser; Bluetooth's (in)security really shouldn't matter.

So go out and get your Bluetooth laptop and cell phone. Have a blast! And save your war plans for the land lines.