Comment Maybe a crack - but not really useful (Score 1) 137
Ok, so I went and look at my bluetooth devices again (a Motorola cell phone and a Logitech keyboard/mouse) - in both cases, I don't see how this crack would actually work:
- With the Logitech keyboard, you actually have to type in the PIN from the keyboard in order for it to pair.
- The motorola must be told to pair specifically - so if it loses connection with a device, it won't automatically re-pair because I haven't made my phone pairable. To make the phone pairable requires a specific menu sequence and then it's only valid for about 30 seconds (and shuts off again).
In both these cases, I don't see a hacker getting in even with spoofing, because both of those events require user intervention (so perhaps the dumb user won't understand...)
I tried one more thing to confirm this - I got another laptop and named it identically to the first one...so it acted as the first one but without a pairing. Again, the phone ignored the request until I said it could pair (a manual interaction) and the keyboard required me to type in the pin from the keyboard. Btw, my laptop also doesn't allow pairing without explicit user intervention.
So great, they found a theoretical vulnerability, but one with an easy work around and one vendors have already seemed to predict. Besides, how useful can this be? As someone said, if you see someone stalking you, you have bigger problems. And if your keyboard stops working because it's paired to another device, it's unlikely you're going to be typing anything on it.
Find something else to worry about...
- With the Logitech keyboard, you actually have to type in the PIN from the keyboard in order for it to pair.
- The motorola must be told to pair specifically - so if it loses connection with a device, it won't automatically re-pair because I haven't made my phone pairable. To make the phone pairable requires a specific menu sequence and then it's only valid for about 30 seconds (and shuts off again).
In both these cases, I don't see a hacker getting in even with spoofing, because both of those events require user intervention (so perhaps the dumb user won't understand...)
I tried one more thing to confirm this - I got another laptop and named it identically to the first one...so it acted as the first one but without a pairing. Again, the phone ignored the request until I said it could pair (a manual interaction) and the keyboard required me to type in the pin from the keyboard. Btw, my laptop also doesn't allow pairing without explicit user intervention.
So great, they found a theoretical vulnerability, but one with an easy work around and one vendors have already seemed to predict. Besides, how useful can this be? As someone said, if you see someone stalking you, you have bigger problems. And if your keyboard stops working because it's paired to another device, it's unlikely you're going to be typing anything on it.
Find something else to worry about...
