Bluetooth v2.1 – A New Security Infrastructure and New Vulnerabilities Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University, Israel Talk Outline Background Offline versus online dictionary attacks Secure password-based authentication Bluetooth v2.0
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Aladdin Knowledge Systems
Bar-Ilan University, Israel
Important: the attacker must “inject” its own key in the exchange
Core V2.1 + EDR, volume 2, part H, section 7.2.3
This is fine: the devices force one-time passkeys
Will users use different passkeys each time?
Core V2.1 + EDR, volume 3, part C, section 3.2.3
This is ambiguous because the pointer is to legacy pairing (backward compatibility), but that’s the only “hint”.
Always a good idea
Shown to not be too effective
Not relevant any more: requires re-education
Not good enough anymore! Vulnerabilities
* Already observed in: J. Suomalainen, J. Valkonen and N. Asokan. Security Associations
in Personal Networks: A Comparative Analysis. In ESAS 2007, pages 43-57
Legal Notice Vulnerabilities
© Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved.
Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.
You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin.
Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.