|
<<
^
>>
Date: 2000-08-15
Schneier über Bluetooth
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Besonders hingewiesen sei auf den letzten Satz in dieser
knappen und eigentlich vernichtenden Anlyse: Bluetooth sei
tunlichst als das zu behandeln, was es ist: "a broadcast
protocol"
Sometime in the 1950s, various governments realized that
you could eavesdrop on data-processing information from
over a hundred feet away, through walls, with a radio receiver.
In the U.S., this was called TEMPEST, and preventing
TEMPEST emissions in radios, encryption gear, computers,
etc., was a massive military program. Civilian computers are
not TEMPEST shielded, and every once in a while you see a
demonstration where someone eavesdrops on a CRT from 50
feet away.
Soon it will get easier.
Bluetooth is a short-range radio communcations protocol that
lets pieces of computer hardware communicate with each
other. It's an eavesdropper's dream. Eavesdrop from up to
300 feet away with normal equipment, and probably a lot
further if you try. Eavesdrop on the CRT and a lot more.
Listen as a computer communicates with a scanner, printer,
or wireless LAN. Listen as a keyboard communicates with a
computer. (Whose password do you want to capture today?)
Is anyone developing a Bluetooth-enabled smart card reader?
What amazes me is the dearth of information about the
security of this protocol. I'm sure someone has thought about
it, a team designed some security into Bluetooth, and that
those designers believe it to be secure. But has anyone
reputable examined the protocol? Is the implementation
known to be correct? Are there any programming errors? If
Bluetooth is secure, it will be the first time ever that a major
protocol has been released without any security flaws. I'm
not optimistic.
And what about privacy? Bluetooth devices regularly
broadcast a unique ID. Can that be used to track someone's
movements?
The stampede towards Bluetooth continues unawares.
Expect all sorts of vulnerabilities, patches, workarounds, spin
control, and the like. And treat Bluetooth as a broadcast
protocol, because that's what it is.
Bluetooth: <http://www.bluetooth.com>
A list of Bluetooth articles, none of them about security: <http://www.zdnet.co.uk/news/specials/1999/04/bluetooth/>
One mention of security: <http://www.zdnet.co.uk/news/2000/24/ns-16164.html>
An essay about the Bluetooth hype: <http://www.idg.net/ic_199451_797_9-10000.html>
Recent article on TEMPEST: <http://www.zdnet.com/zdnn/stories/news/0,4586,2612547,00.html>
-.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 2000-08-15
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|