Wednesday, April 13, 2005

Hacking to be helpful.

This afternoon on the drive home I heard this story about John Hering, USC undergrad and entrepreneur, and a vulnerability in Bluetooth. It seems young John has developed the "BlueSniper rifle" which can hack into Bluetooth-enabled cell phones and PDAs from more than a mile away. Of course, he didn't make the BlueSnipe rifle with the goal of actually hacking into people's wireless devices to steal their information, because ... why alert the press to that? (Unless, of course, he were as dumb as some plagiarists I have known.) Rather, the point was to demonstrate that Bluetooth has this vulnerability so people using Bluetooth technology can take adequate precautions.

The Bluetooth folks, perhaps not surprisingly, are reputed not to have been totally forthcoming about potential vulnerabilities with their product. Here's what NPR gives us from their side:

The industry's Bluetooth Special Interest Group says it takes security "very seriously." In a statement, the group says that "so far no security holes have been discovered in the Bluetooth specification itself. Vulnerabilities that have come to light either exploit the Bluetooth link as a conduit, much like the Internet to the PC, or are a result of the implementation of Bluetooth technology within the device -- as such, we constantly work with our members to assist in implementing Bluetooth technology more effectively." Security flaws that are revealed "are typically solved by new software builds and upgrades," it says.

Someone more hip to the lingo than I (Julie?) can probably decode this. I'm reading it as, "Dude, don't blame us."

So here's the thing: Is John Hering something like a whistle-blower here? He's not working for Bluetooth, but he is sharing information with the public -- information that he thinks the public needs to know to protect themselves -- that, arguably, Bluetooth is not providing. Conceivably, Bluetooth lawyers could come after Hering, so there is some risk involved in publicizing this knowledge. (Of course, there may also be profit -- Hering has a company whose business is exposing security vulnerabilities, so it must be possible to make a buck doing so, right?)

Yet, a part of me (the part thinking about the cell phone in my pocket, no doubt) was thinking, "There's a guy on the radio telling people how to hack into my cell phone!" It was precisely the same feeling I had, while a grad student, when the school paper ran a piece wherein Campus Police outlined E-Z procedures for defeating a U-lock. On the one hand, I suppose it was good not to have a false sense of security about the lock securing my bike to an immovable object. On the other hand, suddenly a bunch of yahoos who were not already in the know knew how to steal my bike!

If the consumer has real alternatives to Bluetooth technology that are not so vulnerable, then calling Bluetooth out is probably a good thing. If Bluetooth needs to have its vulnerabilities aired in the national media before the company will step up and fix them, then calling Bluetooth out is probably a good thing. But what is putting this information out there leads to evildoers exploiting the vulnerability before Bluetooth fixes it or the consumer has time to switch over to the more secure technology? Is there any way the information can be used for good without being available for evil in a case like this?

Edited to add: Go to the comments, where Julie has added a link to her very helpful discussion of the ethical terrain here -- especially the distinction between the stuff that is the responsibility of Bluetooth SIG and the stuff that is the responsibility of the implementers at the cell phone company. Thanks, Julie!


At 11:02 AM, Blogger JM said...

Pseudo-trackback here.... :)


Post a Comment

<< Home