Do I need to remember my PIN?
No. It is not necessary to remember your PIN except in the
seldom situation when the PIN is a fixed PIN - in which
case simply retaining the user manual, with given PIN, for
future reference is advisable.
Why does pairing in a public
location potentially introduce a security risk?
Theoretically a hacker can monitor and record activities
in the frequency spectrum and then use a computer to
regenerate the PIN codes being exchanged. This requires
specially built hardware and thorough knowledge of Bluetooth
systems. By using a PIN code with eight or more
alphanumeric characters it would take the hacker years to
discover the PIN. By using a 4 digit numeric PIN code, the
hacker could discover the PIN in a matter of a few hours.
Still advanced software is required.
Is this a real risk to Bluetooth
Bluetooth devices generate a secure connection by
means of the initial pairing process. During this process
one or both devices need a PIN code to be entered, which
is used by internal algorithms to generate a secure key,
which is then used to authenticate the devices whenever
they connect in the future.
A new academic paper puts forward a theoretical process
that could potentially "guess" the security
settings on a pair of Bluetooth devices. To do
this the attacking device would need to listen in to the
initial one-time pairing process. From this point it can
use an algorithm to guess the security key and masquerade
as the other Bluetooth device. What is new in
this paper is an approach that forces a new pairing
sequence to be conducted between the two devices and an
improved method of performing the guessing process, which
brings the time down significantly from previous attacks.
To perform this hack, it is necessary for the attacker to
overhear the initial pairing process, which normally only
happens once in a private environment and takes a fraction
of a second. The authors have put forward some possible
methods to try and force a deletion of the security key in
one of the two Bluetooth devices, and hence
initiate a new pairing process, which they could then
listen in to. To do this, they need to masquerade as the
second device during a connection. The equipment needed
for this process is very expensive and usually used by
developers only. If this process succeeds the user will
see a message on their device that asks them to re-enter a
PIN code. If they do this while the attacker is present,
and the PIN code they enter is sufficiently short, then
the attack could theoretically succeed.
If the PIN key that has been used consists of only four
numeric characters, a fast PC can calculate the security
key in less than one tenth of a second. As the PIN key
gets longer, the time to crack the security code gets
longer and longer. At eight alphanumeric characters it
would take over one hundred years to calculate the PIN
making this crack nearly impossible.
This is an academic analysis of Bluetooth
security. What this analysis outlines is possible, but it
is highly unlikely for a normal user to ever encounter
such an attack. The attack also relies on a degree of user
gullibility, so understanding the Bluetooth
pairing process is an important defense.
Can the SIG guarantee me that all
of my future Bluetooth products will be secure?
Absolute security can never be totally guaranteed - in
technology or otherwise. Security is an ongoing and
important effort for any technology. The Bluetooth
SIG has made security a high priority from day one with
security algorithms that to date have proven adequate. In
the roadmap for the advancement of Bluetooth
wireless technology, the Bluetooth SIG published
security and privacy enhancements. These enhancements to
the specification further strengthen the pairing process
and ensure privacy after a connection is established. We
are continuing with our work in this area, trying to
always stay a step ahead of people trying to hack into