It’s been a bad week for encryption all around—even when encryption
technology wasn’t in effect.

Details

All of Gaul may be divided into three parts, at least
according to Julius Caesar, but all of Bluetooth is apparently divided at the
core, according to Israeli security specialists who have reportedly found a
serious core vulnerability in the basic Bluetooth specification. NewScientist.com reports
that researchers have discovered a cryptographic flaw—the worst kind of flaw—in
the Bluetooth standard that renders all Bluetooth implementations vulnerable to
a fairly simple attack, making those implementations completely insecure.

Bluetooth is a short-range (about a 300-foot maximum) radio
standard used by networks to feed data to printers, portable phones, laptops,
and other electronic devices. The newly discovered decryption technique makes
all Bluetooth communications insecure—even when the user has enabled all of the
security features to the maximum levels.

This is not the same vulnerability that exists when
Bluetooth devices initially negotiate their connection, which is a well-known threat
that’s rather difficult to exploit. Instead, the new threat lets attackers
penetrate a Bluetooth network at any time and take over the connection, perhaps
establishing a connection allowing unlimited long distance calls. Basically,
the researchers have found a way to force Bluetooth devices into the initial “pairing”
mode and thus decrypt the 128-bit key in well under a second, even using older
PCs.

In addition, a professor from the University of Illinois at Chicago
says he’s found a timing attack
approach that lets him recover Advanced Encryption Standard (AES) keys from
a remote server using OpenSSL AES. To make matters worse, this is a basic design
flaw in AES, not limited to any particular implementation.

Finding security flaws in computer software is nothing new
for Associate Professor Daniel Bernstein, whose computer science students have
found at least 44 other serious flaws in
various applications, tools, and protocols, most of which are open source.

Applicability

The Bluetooth flaw affects any and all Bluetooth networks,
and the AES vulnerability affects any and all AES encryption.

Risk level – Serious

Because these new vulnerabilities affect the overall
technology rather than a specific implementation, the risk level is serious for
both flaws.

Final word

It’s too soon to tell whether these problems will turn out
to be a tempest in a teapot or seriously exploited vulnerabilities. However,
they do point out the truth of my repeated warnings that you shouldn’t rely too
heavily on encryption or any other security technologies—you never know when a new
discovery will compromise what was otherwise a relatively secure platform.

Of course, the biggest problems occur when black hats find a
way to crack encryption that a company has used to protect data in long-term
storage. They can then go back and dig out the data the organization thought it
had securely protected.

How do you fix these new problems in Bluetooth or AES? Just don’t
use the technology.

Also watch for …

  • Is
    merely possessing encryption software evidence of criminal intent?
    Apparently so: An appeals court has ruled that the judge in a criminal
    case was correct in permitting the prosecution to argue that the mere
    presence of PGP software on a computer implied criminal intent    . Now, that’s
    really scary! From what I understand, the guy on trial was in a really
    deep hole to begin with, and there was little he could offer in his own
    defense, and his lawyers created a side issue in his case. But that doesn’t
    detract from the fact that a court has ruled the mere presence of PGP can
    be evidence of a guilty mind.
  • After all
    of the recent stories about various schools’ carelessness with personal
    data, it’s comforting to know that banks are more interested in protecting
    their customers’ privacy—yeah, right! Citigroup, the world’s largest bank,
    is blaming United Parcel Service for the loss of
    3.9 million personal banking records stored on computer tapes    . Even
    better, it took 18 days before anybody realized the tapes were missing.

    While Citigroup appears to be placing all of the blame on UPS, the actual
    tapes were unencrypted, a fact that will be hard to pin on the shipping
    company. Can you say dumbest move
    ever     by a big financial institution? (And this just months after
    Bank of America lost its own tapes    , resulting in more than a million
    missing records.) It must have cost Citigroup far more to mail out notices
    to all those customers than it would have to encrypt everything a dozen
    times over.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.