Bluetooth special interest group (SIG) spent considerable time to develop safe mode as the protection mechanism for link levels, such as a 128 element encryption, device authentication and authorization. But if you want to reach the highest trust requirements, application developers or IT organization must be add application security in link level security, in order to achieve protection from end to end. Because Bluetooth communication distance is short (only 10 meters), and automatic power adjusts mechanism to limit the signal radius, so it is not easy to remote block. However, Class 3 wave can make Bluetooth receiving distance increase to 100 meters.
Bluetooth authentication and encryption service are provided by connecting layer. Authentication adopts password-response mode. In the course of the connection, it may need one or two certifications, or without authentication. Certification is an important component for any Bluetooth systems. It allows users to add their own trusted Bluetooth devices. For example, only the user’s own laptop can communicate through the user's own mobile phone. Bluetooth system uses stream cipher encryption technology which is suitable for hardware implementation. The key length can be 0, 40 or 64, by the senior management of key software. Security mechanism of Bluetooth aims to provide the appropriate level of protection. If users have a high level of confidentiality requirements, they can use the effective transport layer and apply layer security.
Bluetooth device can communicate with the certified party for bilateral links, or permanently link (referred to as pairing, paired line), thus the trusted party does not need certification process every time (such as between telephone headset and phones). The weakest link of Bluetooth security is in the paired device online (pairing). Paired line would use Bluetooth address in the device (the steadfast address set by manufacturers) and individual ID number (PIN) to create a link key. In the matching process, hackers may guess the too short PIN, then get the link key, and tap all dialogue, or fabricate a device added to the match.
Currently people do not hear any Bluetooth security vulnerability. But there is a famous program that can use the test address number to detect presence of devices. In future, this software will have the opportunity to exposure device address, and attempt to perform on-line. But both sides should have common PIN number. Otherwise the hacker cannot attack. As all systems, the technology will be more mature, more users and developers use it, and vulnerabilities will be exposed faster. IT organization should study the safety function of Bluetooth device, and guide customers how put the security risk at a minimum. In general, if people do not use the authentication, they are inappropriate to transmit highly confidential information by Bluetooth.
No comments:
Post a Comment