Bluetooth Hacks: 'Fuzzing' Report Prompts Security Concerns
By Nick Clayton, The Wall Street Journal
Most people probably buy a Bluetooth headset for their cellphone without worrying too much about its security. There are just so many of these devices that it's not unnatural to assume that any risks would be well publicized. But, Finnish company Codenomicon Defensics claims in a white paper entitled "Fuzzing Bluetooth" that there could be cause for concern:
Lately, more attention has been paid to security of Bluetooth systems, but the focus has been on pairing and authentication. Handling of malformed data has been Lately, more attention has been paid to security of Bluetooth systems, but the focus has been on pairing and authentication. Handling of malformed data has been largely ignored. Yet it is the malformed data, broken inputs that Bluetooth systems have little tolerance for. Test results from plugfest events are worrying: failure rate of over 80% is devastating.
The technique of deliberately overloading devices with erroneous data to make them crash is commonly used by hackers in a variety of situations. The "fuzz testing" used by Codenomicon is claimed to track the effects of "broken input" to find potential security vulnerabilities. There has been less focus on Bluetooth than other forms of networking because it works on an individual short-range basis, one person and one cellphone, for instance.
More from the WSJ blogs: