[liberationtech] How secure is Bluetooth?

[Matt Mackall]

On Sun, 2012-01-29 at 14:47 -0800, Brian Conley wrote:
> Thanks Jacob,
> 
> I expected you'd reply thusly. The implementation I'm talking about
> doesn't appear to be compromised based on what I've read in the links
> you've provided. The first link, from usenix, seems to be most
> damning, however doesn't appear to suggest that the packets from a
> voice call can be put back together in such a way they can be listened
> to. Even if that is true, it appears based on what I'm reading that,
> at most, current tools as of that paper, would only enable yo to
> listen to, at most, 2.4 seconds of audio from a one minute call.

Ok, so two academics in '07 get 90% of the way to a fully-working
attack, but are stymied by a silly timing limitation in the
software-defined radio they had on hand. They could trivially fix it by
dropping another $1k on a second USRP for leapfrogging to the next
channel, given that they _have exposed the hopping pattern_.

And you conclude... "not compromised". Huh.

I conclude "compromised for all practical purposes": I could take their
paper and $2000 and build a fully-working attack if I had the
motivation. As could any motivated interception capability vendor. Odds
that this capability already exists: rapidly approaching unity.

Also note that recording the traffic on all 79 3Mbit/s channels is
trivially within the capabilities of any organization that designs its
own hardware. This IC has programmable hop parameters and is < $5:

www.atmel.com/atmel/acrobat/doc1612.pdf

Slapping 79 of those on a board with a high-gain antenna and a USB
interface left as an exercise for the reader.

-- 
Mathematics is the supreme nostalgia of our time.