I am angry with you! What could have been a really freakin’ sweet technology has turned out to be a real pain in the ass. I’m not even concerned about the problems that Bluetooth has running on Linux, I’m concerned with the core technology… and how busted it is.Lets make a couple of assumptions about bluetooth and then I shall plee to the spiteful standards gods for change!
1. The range of bluetooth is short, only 30ft. Though it’s possible to connect at large distances, it’s difficult and I believe it hurts the nature of bluetooth; the limited range offers some advantages in terms of security.
2. This personal area network that Bluetooth creates is not adhoc, people create an intentional set of trusted systems that communicate because it’s personal. Let’s dig into that more below.
3. Personal, “Relating to an individual, his character, conduct, motives, or private affairs…” I wanted to define this term so we all know what kind of information bluetooth should be designed to handle. In your personal network information can be private or sensitive, therefore security is a concern.
Plee
Please fix bluetooth to not suck so much! AFAIK it’s mostly security concerns (of many varieties) mean that you can’t really have all your bluetooth devices always visible; power is another but it’s more minor than the security (see the above definition of personal). Security concerns are coming from getting bluejacked, to helping thieves know that you left your phone in your car.
“The Bluetooth Special Interest Group (SIG) has told people to set eight-digit PINs when pairing two devices and to take other precautions”
“The Bluetooth SIG’s advice is don’t re-pair in a public place, where someone else might eavesdrop, and use a longer PIN.”
“What we found was that we can take it one step further and bypass the pairing requirement and go straight for some of the contacts on the telephone,”
“Thieves are using new ‘blue-tooth’ phones to detect whether motorists have left mobiles or laptops in their cars. The ‘blue-tooth’ facility enables thieves to locate compatible electrical items – even if they are hidden away in a boot or glove compartment.”
My Fix
I have a simple fix, a request along with my above plee to alleviate what I feel are most security concerns as I see them.
Bluetooth should require an initializing physical connection for pairing devices.
I said require, but likely since the technology and standard are already out it’s more likely “recommend”. So the Bluetooth standard should recommend that bluetooth devices have a physical connection to one another before they can pair with each other. Use a standard like a USB cable (micro or mini) where power and possibly even secret keys can be exchanged between devices over a physical cable. It’s possible to extend this concept to other cable types besides USB.
Will all bluetooth connections require a physical connection?
No, obviously you might want to send a contact from one person’s phone to another and it would negate the wireless benefits if you had to get a cable out. Pairing with a device would prefer a wired connection to initialize, however it wouldn’t be required. You could still pair with devices as you do now, however the quick and easy way would be with a mini USB cable.
Could I still pair without a cable?
Again, yes. The current method of pairing would still work, however it would be the deprecated method.
Why a USB cable?
USB cables could be used for power as well as data transfer of some crypto information for the two devices to communicate. In most cases, a PDA, wireless headphones it would be simple to require a mini USB cable connection the first time you use the device. Future uses could power these devices and exchange new keys.
Should bluetooth devices still be discoverable?
Because of security concerns many devices aren’t discoverable now and more and more are becoming less discoverable. With the physical connection recommendation, there can be alternate designs around only making devices discoverable for short periods of time when you want to actively send or receive something.
Obviously some phones and other devices don’t have a USB cable connection, this is too bad, thus pairing in private with PIN codes would still be available. There may be other kinds of cables that could provide the same effect as a USB cable could.
Addendum
Is Bluetooth fixed with the addition of USB cables for pairing? Not really, there are other things that need attention, but I would like to use Bluetooth for a lot more things except that the current system has become so crippled due mostly to issues of security. A physical connection provides much more security, this is not security…
If someone has physically connected to your laptop via a USB cable it probably game over for lots of security problems since they are physically at your computer. Getting this kind of PIN dialog for different wireless connects is problematic in every way possible. Just my thoughts.
I’m having difficulty coming up with any analogy for this more fitting than an optional variation of the Red Flag Act, but I suppose that will do at a pinch. You’re suggesting an optional and staggeringly awkward additional step. Adoption outside of the kind of communities who would shun wireless communication altogether anyway would be zero.
– Chris
FWIW, this is how Wireless USB works; the standard mandates that there needs to be a physical cable connection and pairing is done through exchanging keys on the wire.
Bluetooth should always be discoverable, but then you’d need the device makers to plug their security holes. Security through obscurity is the way they work, can’t really help that.
As for the ranting about the cable pairing, that’s already what some devices (such as the Playstation 3 Sixaxis controllers) use, needing proprietary software support (ie. you can use those in Linux, but they don’t work on Macs or Windows), and it’s also what will be in the next revision of Bluetooth (3.0 aka Lisbon, look for Simple Pairing), either through cables or proximity.
No need for a physical connection.
Take a look at this:
http://www.youtube.com/watch?v=ktJC0S4_X58
I don’t think there’s a need for a physical connection. You can simply implement a variable proximity protocol, so when devices go into pairing mode, their proximity goes down to 1 meter or something, instead of the usual 10 meters. Then, the pairing is a lot more “personal”.
I personally do not agree that BT devices should always be discoverable. The other day I was trying to send some files from my PocketPC phone to my Mac, and two other devices were in the list every time the app would ask me where to send the file. I don’t need to see these, I don’t want to see these.
I think that this is a great idea, but I think it would be neat if rather than a USB cable you just had to touch the devices together. The way that immediately popped into my head is, like some devices with cradle chargers always have contacts exposed that are used to charge, if you just had to touch the bluetooth synchronizing contacts on two devices together it would be even easier.
The range of bluetooth depends on what class the device is, a Class 1 device has a range of 100 metres. Further info here: http://en.wikipedia.org/wiki/Bluetooth. The distance limitation is a deliberate design, especially for phones accessories. If you want more than 30ft then realistically you want a different device or protocol.
Chris: there’s already an awkward step of turning your bluetooth device into discoverable mode, then exchanging PIN codes. With a set of bluetooth headphones I picked up I have to press and hold a button to make it available, then type in a static PIN code given with the manual in my computer. Suggesting the headphones scenario isn’t already awkward is just stupid, if my headphones had a USB cable to recharge and exchange security keys I wouldn’t need any of those steps plus I’d have an extra way to recharge my device.
David: I’ve never looked at USB wireless, but what you’re saying sounds pretty interesting.
Bastien: After reading about thieves breaking into cars because they could figure out what type of device (laptop or cell phone) is and know it’s in my car I’m a bit concerned about always having my devices discoverable. Also on a recent trip to NYC my phone was attacked by several bluetooth stations looking to pair with me in order to deliver advertisements. But I agree it’s much better to have bluetooth always discoverable.
Camila: Cool stuff! I’d never seen that before.
Eugenia: The physical connection shouldn’t be required in order to pair, however I think as a recommended method of pairing we could solve a lot of the issues with pairing. I like the proximity idea, maybe combine that with the shaking or touching devices together somehow and I think you could get somewhere.
Tim: Yeah, I think having the range limited is a very good thing.
Bryan, I’m curious what use cases you’re not able to satisfy with a 30 foot range (in reality it’s not always so small, but anyway). Make the range much bigger and you’d lose a lot of power and/or bandwidth, no?
I like the idea of using a small range for pairing mode. I only really see that being necessary for things like headsets that don’t have a display/input mechanism for pairing keys. For larger devices, just know what you’re pairing with – if it’s your friend’s phone, ask her what her phone’s name is.
As for discoverability, I just don’t see it as a problem: when I want to use bluetooth, I turn it on on the device I care about. When it’s on, it’s discoverable. When it’s off, it’s not wasting battery power. Are device manufacturers still screwing up bluetooth security? I’ve tried auditing my phone and haven’t been able to break it.
I can’t imagine what would cause me to ever leave my computer in my car, powered on, with bluetooth enabled. If I ever did, I don’t think you would need to rely on bluetooth to tell you that; you could just look in the window.