XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Mon Oct 03, 2016 12:07 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 12:31 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5535
Location: NYC
My wife has a temporarily borrowed (yuck) iPad. Gave it my Network password and also logged in to Webmail. Too late, I realized that Bluetooth was turned on. I tested to see its range, and it was putting out a very healthy signal, through walls, to all corners of our apt. This means it was most likely broadcasting nicely to the neighboring apts, at least.

The barn door has now been closed, but I'm wondering just what the risks were: as in hacking of the iPad itself or possible sniffing of those very important pwords via Bluetooth? Will be a real PITA to change them, but I will if necessary. I know the kid (actually in his early twenties, but anyone under thirty looks like a kid to me) downstairs is into computers -- how sophisticated his skills are, I really don't know. He's probably too stoned out most of the time to do much of anything, but, still, I don't want to take any chances.

Btw, now that I actually have my hands on one of these things, I really don't see the point. Nice consumer gadget, I suppose.


Last edited by WZZZ on Thu Aug 09, 2012 12:39 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 12:39 pm 
Offline

Joined: Thu May 15, 2008 8:02 pm
Posts: 2274
I leave bluetooth on for my iPhone and iPad and have never had a problem.


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 12:40 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5535
Location: NYC
psalad wrote:
I leave bluetooth on for my iPhone and iPad and have never had a problem.

But are you within range of possible Bluetooth eavesdroppers with the iPad?


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 12:44 pm 
Offline

Joined: Thu May 15, 2008 8:02 pm
Posts: 2274
WZZZ wrote:
psalad wrote:
I leave bluetooth on for my iPhone and iPad and have never had a problem.

But are you within range of possible Bluetooth eavesdroppers with the iPad?


Ya, it travels pretty much everywhere with me. Maybe I should be more paranoid, but I leave it open because I connect to my iPhone via bluetooth for tethering.


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 2:56 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9442
Location: North of the State of Jefferson
There was a notable Bluetooth vulnerability exploited on the Mac with a worm around the time the first Intel machines were out.

It's always a case of balance. I don't know of any current exploits, but if you don't need the service I'd turn it off. I keep it off on my machines. If you do need the service, you might want to keep it on unless you're using that computer to run uranium centrifuges, control floodgates on a large dam, run a credit card processing center, etc. If the cost of someone breaking in through Bluetooth is thousands of times greater than the value of using it, then by all means turn it off. In my case I get no value from it (if anything, it very slightly drains my computer's battery giving it a negative value), so the risk threshold above which I'd turn it off sits solidly at zero.

- Anonymous


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 3:20 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5535
Location: NYC
So it's a question of possible exploits, not sniffing of data? With this Ipad, the latter is what i was really concerned about. On the Mac, I have Bluetooth for the Magic Mouse, but don't use the BT keyboard, so no keystrokes going out to possibly be sniffed there.


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 3:26 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9442
Location: North of the State of Jefferson
If you have any data that will be sufficiently valuable after someone has taken the time to crack and decrypt it, then yes, you should turn Bluetooth off. Since it's difficult to know whether encryption is in use I wouldn't recommend sending sensitive data over Bluetooth connections (this is why I'm skeptical of Bluetooth keyboards). What sort of data were you specifically concerned about?

- Anonymous


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 3:44 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5535
Location: NYC
Quote:
What sort of data were you specifically concerned about?

Just my Network password and Webmail login password.


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 4:22 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5535
Location: NYC
This is the kind of thing that has me worried

Quote:
Disable Bluetooth when not in use

While there are some legitimate reasons for keeping the iPad’s Bluetooth short-range wireless function continuously running (such as using an external wireless keyboard), the capability also provides an open door for data spies. Unless you’re actually using a Bluetooth accessory, you can bolster your iPad’s security, and even save a little battery life by disabling the connection (Settings > General > Bluetooth > Off).

http://www.ipadintouch.com/ipad-securit ... ad-secure/

Is Bluetooth automatically encrypted? I'm seeing different things about that. For example, http://support.apple.com/kb/TA21370 which seems to imply it isn't encrypted by default. But there's this http://www.theipadguide.com/faq/what-bl ... ad-support

I'm reading that pairing BT devices automatically sets up encryption. But there is no pairing going on when using just the iPad itself, with BT enabled.

And I get numerous hits for "bluetooth sniffer" and "bluetooth sniffer software." Are there any legitimate uses for this stuff?


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Thu Aug 09, 2012 9:11 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 8687
Location: Suburbia
For two bluetooth devices to talk to each other, they must first be paired. Pairing sets up unique encryption keys that are used by each device to talk to the other.

That being said, no encryption method is foolproof, so if you're stuck in a traffic jam for hours and leave bluetooth enabled don't be surprised if someone breaks in and starts masquerading as one of the paired devices.

The security on Bluetooth comes down to what services are allowed over bluetooth. Disable file transfers, for example, and they can't transfer files on or off your system (barring some other vulnerable service available over BT that can be exploited to execute arbitrary code, yada yada yada).

Typically I leave BT disabled on iDevices, not for security really, but because laving it on powers a transceiver that drains your battery. If you're not actively using BT and desire some extra time from your battery... turn BT off.


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Fri Aug 10, 2012 4:24 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5535
Location: NYC
Quote:
Typically I leave BT disabled on iDevices, not for security really, but because laving it on powers a transceiver that drains your battery. If you're not actively using BT and desire some extra time from your battery... turn BT off.

So back to my original question: When BT was still enabled, was it possible for someone nearby with the right tools to sniff out my Network password when I entered it into the iPad, or my Webmail login password? If that was possible, how likely is that, since it's a question of having the "right tools." (What about all those hits for "Bluetooth sniffer" and "Bluetooth sniffer software?" Looks like this stuff is widely available.)

And what about "the capability also provides an open door for data spies"?

Nothing to do with pairing, since the iPad wasn't paired with anything. Just BT enabled.

Is it reasonable to just forget about it or take no chances and change those pwords?


Top
 Profile  
 
 Post subject: Re: Bluetooth paranoia
PostPosted: Fri Aug 10, 2012 2:37 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5535
Location: NYC
This is somewhat reassuring.

Quote:
The iPad has the ability to enable Bluetooth protocols to allow devices like hands-free headsets and keyboards the ability to interface with the iPad. Natively the iPad does not function as a phone, although there are applications available to enable voice communications. Enabling Bluetooth allows keyboard or headset access to the device. The latest version of iOS does have API’s to disable Bluetooth and its associated devices. Disabling Bluetooth would lessen the attack surface, but many users prefer the convenience of wireless headsets when listening to audio from a mobile device. The iPad alerts users to active Bluetooth connections by displaying an interwoven triangle on the screen.
The exposure to sniffing traffic over a Bluetooth connection exists, but there is little risk due to the complexity and expense needed to sniff Bluetooth traffic. Setting up the equipment to sniff Bluetooth networks will cost over $1000 U.S. dollars, and sniffing Bluetooth is difficult because the traffic frequently switches channels. The sniffer would have to sniff all channels (full spectrum sniffer) in order to gather the traffic as it jumps channels. The bigger issue is a MITM (man in the middle attack) attack where an attacker tricks the iPad into pairing with a rogue attacker’s device. The attacker can then inspect all traffic as it flows through the rogue device.

http://www.sans.org/reading_room/whitep ... s-4x_33826


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group