During the SA3-31 meeting in Munich, it was decided that the Bluetooth link between peripheral devices did not require integrity protection. This contribution indicates that a man-in-the-middle attack may be possible on the bluetooth link in a WLAN interworking environment. The attacker lures the victim to connect to a malicious WLAN access point. The attack does not require to know the Bluetooth link key. The attacker can repeat this attack on the same victim many times in any WLAN network. A discussion of countermeasures against this attack can be found in a companion contribution.

This document provides step-by-step instructions on how to install, administer and use the Professional Edition of the Bluefire Mobile Security Agent. The Professional Edition of the Mobile Security Agent includes the set of security components that run on the device. Within this document the Professional Edition of the Mobile Security Agent is also referred to as the Professional Mobile Security Agent, the Professional Agent or simply as the Agent.

This report describes the details of two new proof-of-concept Bluetooth security analysis tools and two new attacks against Bluetooth security. On-Line PIN Cracking script is a security analysis tool for on-line Bluetooth device PIN cracking. Brute-Force BD ADDR Scanning script is a security analysis tool for brute-force discovery of the addresses of Bluetooth devices that want to be private. Scripts of both our security analysis tools exist and can be demonstrated to Bluetooth device manufacturers or press if required, but they will not be released in any public domain because due to their e±ciency they can be very dangerous. Our new attacks, BTKeylogging and BTVoiceBugging, extend On-Line PIN Cracking attack.

The Bluetooth encryption algorithm E₀ is considered weak, and there are plans to extend the specification so that it would support several algorithms. However, this does not improve the overall security because an active attacker can set up a previously used encryption key by a replay attack. In this paper, we show how this vulnerability can be exploited to thwart any improvement in the encryption method. We also investigate alternative modifications to the Bluetooth security architecture to overcome this problem.

In this paper, we give a short overview of the security architecture of Bluetooth. We will especially focus on the key exchange protocol in Bluetooth. This is the most important security critical part of the security architecture. Unfortunately, there are a lot of security flaws in the Bluetooth standard. Some are rather theoretical, but most of the problems can be exploited by an attacker. An extensive overview of the security flaws in Bluetooth will be given in this paper. Some of these security problems, e.g. the Bluesnarf attack, were only discovered very recently.