I link-blogged this yesterday, where it got picked up by Waxy, and thence to Boing Boing — where some readers are reportedly considering it doubtful. Craig also expressed some skepticism. However, I think it’s for real.
Check out the comments section of Schneier’s post — there’s a few notable points:
Some Bluetooth-equipped laptops will indeed wake from suspend to respond to BT signals.
Davi Ottenheimer reports that the current Bluetooth spec offers “always-on discoverability” as a feature. (Obviously the protocol designers let usability triumph over security on that count.)
Many cellphones are equipped with Bluetooth, and can therefore be used to detect other ‘discoverable’ BT devices in range.
Walking around a UK hotel car park, while pressing buttons on a mobile phone, would be likely to appear innocuous — I know I’ve done it myself on several occasions. ;)
Finally — this isn’t the first time the problem has been noted. The same problem was reported at Disney World, in the US:
Here’s the interesting part: every break-in in the past month (in the Disney parking lots) had involved a laptop with internal bluetooth. Apparently if you just suspend the laptop the bluetooth device will still acknowledge certain requests, allowing the thief to target only cars containing these laptops.
Mind you, perhaps this is a ‘chinese whispers’ case of the Disney World thefts being amplified. Perhaps it was noted as happening in Disney World, reported in an ’emerging threats’ forum where the Cambridgeshire cop heard it, and he then picked it up as something worth warning the public about, without knowing for sure that it was happening locally.
Update: aha. An observant commenter on Bruce Schneier’s post has hit on a possibly good reason why laptops implement wake-on-Bluetooth:
On my PowerBook, the default Bluetooth settings were “Discoverable” and “Wake-on-Bluetooth” — the latter so that a Bluetooth keyboard or mouse can wake the computer up after it has gone to sleep.