The Not So Wonderful World of Bluetooth Security: A One Byte Encryption Key?

There’s some people on the Internet, that just make your day. You learn from them, and they never fail in getting you to think in new…

The Not So Wonderful World of Bluetooth Security: A One Byte Encryption Key?

Unfortunately, our Internet is often just full of the same stories echoed endlessly, and there’s not much room for those with original thinking. It is a place full of the same old corporates — and their technical leads — just telling us the same old messages, and without any originality. There are, though, some people on the Internet, who never fail in getting you to think in new ways.

So, along with Bruce Schneier, Matthew Green [here] is one of my favouriates in making me think about things. He’s a smart guy who knows so much about his subject — cryptography —but sees our world being build with such poor practice.

To me, Matthew the perfect role model of a trusted academic … someone who you can trust with their option. He’s passionate about his subject and trips easily into parody and humour. And so this week, I had to smile when I saw this:

Basically it a long-running saga about the “cook your own” cryptography that some standards agencies push out. Bluetooth, itself, has a very poor track record for not really defining security well, and bumbling along with poorly defined standards. The text itself says:

What is funny about this is that he carefully pin-points the true weakness:

a “ONE BYTE” encryption key

I don’t know if you can see the flaw here, but we could probably get a pen and paper for you, and work out the encryption key and decrypt some cipher text, as there is almost zero security. Why have done this? Well, there’s probably some company, somewhere, who has some old equipment from the 1950s that struggles with anything more than an 8-bit key, and where they have pushed for the poor standard.

You must smile on the bus into work when you then get this:

or this:

And he is not just an academic with an attitude, he has the research credibility to back-up his opinions:

But, in a world of bland coverage of technology by the media, he really stands out as someone who sparks your attention:

Conclusions

The cybersecurity industry is sometimes tainted with the “broad and thin” approach to knowledge … know very little about lots of things … and sometimes struggles with depth. Professional certification in cybersecurity is often a good example of this, where we cover lots of topics, but never really cover any of them properly. There is thus … I hope … a place for academia. In medicine, we see general practice, and then we see specialisations. It is often the specialists that we trust most in their option, and they have studied their field in depth. I trust people like Matthew to tell me how things are, and his option matters to me, and not the generalists, who are echo’ing what they heard somewhere else.

There is a place for academia in our world. Much of the time it is just mundane, but, at times, it is truly wonderful.

Long live academic thought!