1. This attack has been blown out of proportion. It is not based on a weakness in the Bluetooth spec, but rather the user’s choice of a weak pin code and an implementation issue from the device manufacturer. The Bluetooth spec defines a number of different security options. Which ones are implemented, how they are controlled, and the default behavior are largely up to the device manufacturer. The Bluetooth SIG does however provide guidance by making recommendations on how to create a secure device. Simply heeding their advice to not allow pairing (or repairing) by default will prevent this attack. I do not know of any phones on the market that allow pairing by default. I don’t know how many phones handle repairing improperly, but in that case the user will still be prompted to enter a pin code.

How can this be considered a weakness in the Bluetooth spec?

Posted at 5:25AM on Dec 19th 2005 by Bryan Hall

2. The bluetooth security concern is overly stress (I wonder if the phone carriers actually sponsor some of these articles). It's like saying we all should never use email and internet because we can get our computers expose to viruses and other attacks. I paid for the device to get this functionality, it should be my call if I want to enable or disable it. This really discourages creativities and advance of the new technology. It's 20th century! We are in the Stone Age anymore.

Posted at 5:25AM on Dec 19th 2005 by Lake