I am angry with you! What could have been a really freakin’ sweet technology has turned out to be a real pain in the ass. I’m not even concerned about the problems that Bluetooth has running on Linux, I’m concerned with the core technology… and how busted it is.Lets make a couple of assumptions about bluetooth and then I shall plee to the spiteful standards gods for change!
1. The range of bluetooth is short, only 30ft. Though it’s possible to connect at large distances, it’s difficult and I believe it hurts the nature of bluetooth; the limited range offers some advantages in terms of security.
2. This personal area network that Bluetooth creates is not adhoc, people create an intentional set of trusted systems that communicate because it’s personal. Let’s dig into that more below.
3. Personal, “Relating to an individual, his character, conduct, motives, or private affairs…” I wanted to define this term so we all know what kind of information bluetooth should be designed to handle. In your personal network information can be private or sensitive, therefore security is a concern.
Please fix bluetooth to not suck so much! AFAIK it’s mostly security concerns (of many varieties) mean that you can’t really have all your bluetooth devices always visible; power is another but it’s more minor than the security (see the above definition of personal). Security concerns are coming from getting bluejacked, to helping thieves know that you left your phone in your car.
“The Bluetooth Special Interest Group (SIG) has told people to set eight-digit PINs when pairing two devices and to take other precautions”
“The Bluetooth SIG’s advice is don’t re-pair in a public place, where someone else might eavesdrop, and use a longer PIN.”
PIN security would make Bluetooth safer
“What we found was that we can take it one step further and bypass the pairing requirement and go straight for some of the contacts on the telephone,”
Pickpockets turn to technology
“Thieves are using new ‘blue-tooth’ phones to detect whether motorists have left mobiles or laptops in their cars. The ‘blue-tooth’ facility enables thieves to locate compatible electrical items – even if they are hidden away in a boot or glove compartment.”
Alert over hi-tech thieves who scan cars for laptops
I have a simple fix, a request along with my above plee to alleviate what I feel are most security concerns as I see them.
Bluetooth should require an initializing physical connection for pairing devices.
I said require, but likely since the technology and standard are already out it’s more likely “recommend”. So the Bluetooth standard should recommend that bluetooth devices have a physical connection to one another before they can pair with each other. Use a standard like a USB cable (micro or mini) where power and possibly even secret keys can be exchanged between devices over a physical cable. It’s possible to extend this concept to other cable types besides USB.
Will all bluetooth connections require a physical connection?
No, obviously you might want to send a contact from one person’s phone to another and it would negate the wireless benefits if you had to get a cable out. Pairing with a device would prefer a wired connection to initialize, however it wouldn’t be required. You could still pair with devices as you do now, however the quick and easy way would be with a mini USB cable.
Could I still pair without a cable?
Again, yes. The current method of pairing would still work, however it would be the deprecated method.
Why a USB cable?
USB cables could be used for power as well as data transfer of some crypto information for the two devices to communicate. In most cases, a PDA, wireless headphones it would be simple to require a mini USB cable connection the first time you use the device. Future uses could power these devices and exchange new keys.
Should bluetooth devices still be discoverable?
Because of security concerns many devices aren’t discoverable now and more and more are becoming less discoverable. With the physical connection recommendation, there can be alternate designs around only making devices discoverable for short periods of time when you want to actively send or receive something.
Obviously some phones and other devices don’t have a USB cable connection, this is too bad, thus pairing in private with PIN codes would still be available. There may be other kinds of cables that could provide the same effect as a USB cable could.
Is Bluetooth fixed with the addition of USB cables for pairing? Not really, there are other things that need attention, but I would like to use Bluetooth for a lot more things except that the current system has become so crippled due mostly to issues of security. A physical connection provides much more security, this is not security…
If someone has physically connected to your laptop via a USB cable it probably game over for lots of security problems since they are physically at your computer. Getting this kind of PIN dialog for different wireless connects is problematic in every way possible. Just my thoughts.