With regard to Keith J. Winstein's article on Bluetooth security ("Bluetooth Tools Are Susceptible to Tampering," June 16), I would agree that the system is not bulletproof. With a small amount of education, however, we can all take responsibility for the security aspects and enjoy the benefits of these products.
The weaknesses in Bluetooth security center on the pairing procedure, in which the devices, such as a phone and headset, exchange the encrypted personal identification numbers. The well-documented risk is that someone who eavesdrops on this transaction can, with a minimal amount of computing power, calculate your PIN from this information. The attack method described by Avishai Wool and Yaniv Shaked is similar in that it uses the pairing procedure to try to get you to enter your PIN again.
The solution is simple. If you care about your Bluetooth security, then you need to treat your Bluetooth-enabled device like your credit card. Don't enter your PIN (i.e. pair with a device) in a public place; that way, nobody will see or hear your code. Similarly, if someone asked you to confirm your credit card PIN unexpectedly, you wouldn't do it. It's the same for your Bluetooth PIN.
Don't forget the basics. The simplest form of Bluetooth attack is when someone pairs with a phone that's been left unattended on a desk and simply enters his own number to access the phone's data. And remember that it's far easier to listen in on your conversation by conventional eavesdropping than to try to intercept the radio transmissions.
Finally, if you're thinking of buying a Bluetooth device, I say vote with your feet and insist on one with a PIN that can be changed. You wouldn't accept a credit card with a fixed PIN of "0000" would you?
