Shake a Secure Bluetooth Connection

heilbron writes "The Austrian researcher Rene Mayrhofer of the British Lancaster university and his colleague Hans Gellersen developed a technology to simplify a secured wireless connection of mobile devices. With the so-called shake-to-connect technology an authenticated Bluetooth connection between two mobile phones is established by rhythmic shaking. Integrated oscillation sensors, contained in some mobile phone models, form the basis. The two researchers sketched out a prototype, which is intended for Nokia mobile phones. An example is documented in this YouTube video clip. If two mobile phones are shaken together, the software in both devices registers the same shaking frequency and authenticates the radio link. The principle is summed up in a four page PDF document."

Not just Cell phones use bluetooth

[nurb432]

I want to see you shake your bluetooth enabled car so you can sync with your phone, or spend the time shaking your keyboard and mouse ( and not look like an idiot ).

I can see a PDA getting loose during shaking and sending it flying under a bus. *crunch*

Re:Not just Cell phones use bluetooth

[Anonymous Coward]

You're absolutely right! I mean, since this idea can't be used for everything, then it's totally worthless!

Re:

[FuzzyFox]

When is it useful to form a bluetooth connection between two phones? I have formed bluetooth links with all sorts of devices (computers, headsets, keyboards, tablets), but never with another person's phone. How is such a connection useful? Why do we need to make it so easy that it can be done in such short order?

Re:

[KevinIsOwn]

You can send pictures, movies, music, contacts, and whatever else is stored on there between them. I've used it a couple times, it is convenient occasionally.

Re:

[irc.goatse.cx troll]

It would be amazingly convenient if it wernt for the having to pair them. Phones can send vcards over bluetooth, so instead of giving someone your phonenumber or business card, you could send their phone your vcard with name, full contact info, etc and know it was saved correctly.

Of course thats pointless right now due to having to pair the devices up which takes more time and effort than it could save.

Re:Not just Cell phones use bluetooth

[MankyD]

I want to see you shake your bluetooth enabled car so you can sync with your phone...

Perhaps you could - there's no reason a properly sensitive gyroscope can't detect the acceleration, turns, and even rumblings of a car and pair it up with a similarly moving phone.

Re:

[nurb432]

Although i was joking ( mostly ) to do what you propose you would have to strap the phone down to something sturdy like the dashboard, and not in one of those cute 'holsters' in order to get a accurate transferral of vibration.

Tossing it on the passenger seat wont work either.

Why do you say that?

[TamMan2000]

You think two humans are going to be perfectly synced up when they shake phones? No...

as long as the shaking you do to the car is small enough that the phone doesn't roll around the passenger cabin, I think you would be fine...

Re:

[Mr. Freeman]

Read the article and watch the video. It's not two people shaking the phones, dumbass. They have to be shaken in one hand together.

Re:

[TamMan2000]

You think that is perfect?

Hell no... The tissue of the hand holding the phones will deform nonuniformly. It would be just as bad as a phone sitting in a car, that doesn't roll or slide.

perhaps you are the dumbass...

Re:

[non-sequitur]

Okay, so assuming the cost and size of a "properly sensitive gyroscope" were not a problem (I'll assume you meant accelerometers anyway, which are small and cheap).....

I don't want my cellphone linked with everyone else on the train (or bus, or even everyone else's in the car).

Perhaps this is silly, beyond a rather niche application, where it would be pretty cool. Does everything have to be universal?

Re:

[Anomolous Cowturd]

What if there's four people in the car with a phone each?

Re:

[arivanov]

If that is the way to make it works so be it.

You obviously have not had to try to pair devices to the latest version of the bluetooth stack on Linux. It has gone more MicroSHITTY than microsoft (gnome influence at its best). Works 5% of the time and with gui only. Sometimes even that does not work and you have to help the GUI by doing manual command line connections. Frankly I would much rather shake the two things together until they connect. Takes less time (and is less frustrating).

Re:

[teletype]

What are you on about? You seem to be dissatisfied with a particular bluetooth manager GUI app. How is this anything inherent in the bluetooth stack? You say it's GUI only, but then you mention connecting from the command line?

If you don't like that bluetooth manager, you can always try a different one. If you don't like certain features, you've g ot the code, and can change it.

Re:

[arivanov]

No. I seem to be dissatisfied that the cretins who develop bluez have disabled all methods for pairing except through a HAL registered PIN agent. There is no longer a way to specify a hardwired PIN in your hcid.conf. Any PINs there do not work. Same for simple password agents specified there. Only the ones registered through the cretinous HAL framework work. As a result your pairing works from time to time and when it works requires one of the gui-pin apps which register via HAL. Situation common across mos

Re:

[Plunky]

No. I seem to be dissatisfied that the cretins who develop bluez have disabled all methods for pairing except through a HAL registered PIN agent. There is no longer a way to specify a hardwired PIN in your hcid.conf. Any PINs there do not work.

Well, its nice to see that 'the cretins who develop bluez' have finally got a clue then. PINs should never be hardwired in a general purpose computer, they should only be needed to authenticate the pairing and generate a link key which is used to authenticate the co

Re:

[Splab]

Yeah, cause it really is much easier shaking a 40lbs computer and a mobile phone than google a howto.

Re:

[milsoRgen]

I want to see you shake your bluetooth enabled car

Wouldn't the vibrations traversing through vehicle from contact from the road be unique enough (due to complexity of the automobile no two cars would vibrate the same on any given road) to be used for the 'shaking' if sufficently sensitive equipment is used?

Re:

[tepples]

I want to see you shake your bluetooth enabled car

Put car in [P]ark. Shake steering wheel and phone. Is it that hard?

Re:

[lucifuge31337]

Put car in [P]ark. Shake steering wheel and phone. Is it that hard?
I have a manual gearbox, you insensitive clod!

Or the screen....

[DrYak]

I can see a PDA getting loose during shaking and sending it flying under a bus. *crunch*

As if the Bluetooth coomunicating Wiimotes weren't doing enough damage yet... ...But don't worry. Palm will come with a stronger wrist-strap to avoid the class action suits.

Re:

[MT628496]

Right, like anyone on Slashdot will be doing what it normally takes to make a car shake.

Re:

[nurb432]

Not having properly balanced tires?

Re:Not just Cell phones use bluetooth

[dfghjk]

You don't have to shake the car, just shake the sensor that the car reads. Such a thing may be stupid but it would be trivially easy to implement. Glad to see you really thought about this before commmenting...

Re:

[tlhIngan]

or spend the time shaking your keyboard and mouse ( and not look like an idiot ).

Better yet, I want to see people shaking their bluetooth keyboards and mice with their computers (desktops and laptops)...

Hmm... easy Bluetooth connection, or my hard disk?

Because entering a PIN is sooooo difficult

[Coward Anonymous]

This is a solution looking for a problem...

Re:

[solevita]

Entering a PIN isn't always very secure; this method could potentially provide both handsets with the same, massively long, random number. That's a little harder to attack than the usual "same as my luggage" combinations.

Re:

[laederkeps]

Thanks a lot, now I have to shake my luggage all over again!

Re:Because entering a PIN is sooooo difficult

[skiingyac]

Or a accelerometer manufacturer looking for a client...

If only ALL PHONES already had some way to accept input... Hmm... How about you hold both phones up to your mouth and whisper some random words into them at the same time? To encourage people from not all saying "12345", one phone could even display a random sequence of numbers that you then speak into the phones. It doesn't matter if you say the right numbers, since both phones are going off what they hear.

With the shaking method, someone can either watch you and try to shake theirs at the same time, or record a video of it and figure out what the acceleration values should be. With speaking, the attacker would have to get the sounds right, plus get the volume right, plus get the background noise & relative timing right (which is going to be slightly off unless the attacker is RIGHT next to you). Better yet, both phone owners could speak the sequence standing slightly apart, so nobody else will hear person #1, person #2, and the background noise with the same timings.

Wii uses bluetooth.

[Anonymous Coward]

"I need to shake my Wii."

Re:Wii uses bluetooth.

[morgan_greywolf]

"I need to shake my Wii."

Damn. I'm having trouble with mine connecting. Can you come over here and shake my Wii for me?

Re:

[ROMRIX]

Damn. I'm having trouble with mine connecting. Can you come over here and shake my Wii for me?

Didn't you watch the video?
You guys have to hold both your Wii's firmly together and shake.

Re:

[Nazlfrag]

I'll come round and squirt you with my Zune, we'll see if that helps.

Re:

[ROMRIX]

I'll come round and squirt you with my Zune, we'll see if that helps.

That's quite a treasure you have there, I know people that would pay good money for pictures of a squirting Zune.
Is it shaved?

Re:

[reversecausality]

I really don't like this idea. If I forget to make a special effort to shake randomly, everyone I want to send a photo to is going to end up finding out my natural jacking rhythm & amplitude.

Re:

[Moochman]

Watch TFVideo. It only works if you shake two phones in one hand simultaneously.

New phone

[morgan_greywolf]

Introducing the new 007 Martini Phone! I prefer mine shaken, not stirred!

Re:

[Raideen]

Introducing the new 007 Martini Phone! I prefer mine shaken, not stirred!

That sounds OK, but will it blend [willitblend.com]?

Re:

[cloakable]

Yeah, but what'll you do when she says her taser is too, and offers to link?

Shake to Authenticate is a bad idea

[nahdude812]

The idea of the authentication system being two devices being shaken together seems like a weak idea. There are plenty of times when multiple devices will undergo the same accelerations as each other, and the owners of the respective devices do not necessarily intend for them to be paired. For example, sit next to someone on a bus.

Re:

[Anonymous Coward]

maybe it'll finally give us a reason to outlaw line dancing! obviously violates the dmca

Re:

[tijmentiming]

Then add a button to the side of the phone. One you need to hold down during shaking. Just like the Sony Ericsson phone's where you can shake while holding down a button, so you skip to the next song in your mp3player.

Re:Shake to Authenticate is a bad idea

[the_lesser_gatsby]

Why not just use the button to skip to the next song?

Re:

[uhlume]

I don't even know the device in question, and I can easily imagine the answer to that: the button enables a gestural interface, and the "shake to skip a track" motion is only one gesture of many.

Which is actually a pretty smart idea, considering that the functions this sort of interface would be useful to control are typically bound to softkeys and menus which require you to look at the damned thing to interact. (And and it should go without saying that there's no way they could ever provide dedicated, phys

Re:

[the_lesser_gatsby]

The phone is probably the W580i and the gesture picks a random track rather than the next track. It's the only gesture the music player recognizes and does require a button to be held down - probably to screen out false positives. Also many music phones these days do have dedicated buttons for play control (none have a 'random track' button though afaik!)

Your point is well taken, a more sensitive version which could recognize multiple gestures without accidental false positives would be way cool. It's comin

Re:

[CmSpuD]

After dropping mine once, very occasionally my w580i thinks I'm holding the button down when I'm not, meaning every couple of steps I take shuffles the track. As you can probably imagine, this is just what I want! It seems a little daft though as their usage isn't very widespread yet; shaking your phone around in public is guaranteed to get a couple of odd looks thrown your way.

Re:

[quanticle]

According to the video, you'll have to shake both devices together at the same time in the same hand. How'll you hold down two buttons on two disparate devices at the same time while shaking them?

Re:

[tijmentiming]

- Grab two ballpoint pen's.
- One in your left hand, one in your right hand.
- Click the pen once with your left hand.
- Then with your right hand. (it's not required to click both pen's on the same time).
- Shake your hands, both the same movement and timing.
When the shake amplitude is above a specific value, a process is started to calculate the match in movement between both ballpoint's. If this movement is the same during 2 seconds, you are authenticated.

- Click both pen's again (it's not required to click

Re:

[drgruney]

Yeah but how often are things going to be shaking the *while you've hit the "connect" button on both devices?

Re:Shake to Authenticate is a bad idea

[marcello_dl]

> The idea of the authentication system being two devices being shaken together seems like a weak idea.

Yep, why not provide a contact area for devices so you simply have to put them together? It could be used to exchange a key, or act with usb2 speed for data transfer with less effort than implementing accelerometers and software.

MOD PARENT UP

[fmobus]

seriously, why is this not in use? It would make harder to access a bluetooth device without authorization, as it would require physical access...

In my dream bluetooth world, devices would only "pair" when connected with some sort of hermaphrodite interface (and would work wirelessly thereafter). Much like my wifi router: its initial setup was only accessible by its ethernet interfaces. This is the only way to rule out spoofings, man-in-the-middle attacks.

Re:

[SharpFang]

Besides, this could automatically initialize some default data exchange: "Knock me your number" - you touch the phones and the phonebooks in both are updated with each other's numbers. Fast, easy and simple.

You could likely even use the same hardware as for bluetooth - just make the signal 1000 times weaker, so that only if two antennas are touching, the signal is strong enough to get through.

Re:

[MobileTatsu-NJG]

The idea of the authentication system being two devices being shaken together seems like a weak idea. There are plenty of times when multiple devices will undergo the same accelerations as each other, and the owners of the respective devices do not necessarily intend for them to be paired. For example, sit next to someone on a bus.

That's easy enough to solve. Have the shaking happen at a faster interval than a bus ride. That isn't hard to do.

Re:

[StarkRG]

It's not like you pair the devices by just sitting there. You have to have both devices in your hand (one hand, not both) and shake them. This is going to be incredibly difficult, if not almost completely impossible, to duplicate. You'd be better off trying to crack whatever key it is they generate.

Nothing new here...

[BlackPignouf]

My wee-wee has been asking authorization from my hand every night for ages!
I should definitely claim prior art for this technology.

Completely flipping pointless

[mlk]

Thinking about my use of Bluetooth:
a) Headset to phone auth - Done once when I bought the device, why would I want to make the headset heaver and more expenive.
b) Computer/phone auth - Done twice once with my home computer (a desktop-replacement laptop) and works desktop computer (not likely to pick that up and shake it)
c) Snyc with friends phone (share numbers) - I think I have done this once, normally I just send them a text message or quickly call them etc, but if I were to do it again I'd have to either let a friend shake my phone (top of the range smart phone) or a friend will let me shake his/hers (jokes abound). Mostly also top of the range smart phones. That is not likely to go down well.

Ringtone suggestions include...

[StarfishOne]

DJ Jazzy Jeff & The Fresh Prince - Boom! Shake The Room [youtube.com]
The Beatles - Hippy Hippy Shake [youtube.com]
Mariah Carey - Shake It Off [youtube.com]
Seal Paul - Shake that thing [youtube.com]
Ying Yang Twins - Shake [youtube.com]
Eminem - Shake That: Edited Version [youtube.com]
Howlin' Wolf - Shake It For Me [youtube.com]
Beastie Boys - Shake Your Rump [youtube.com]
Savage Garden - Break and shake me [youtube.com]

Re:

[DustyShadow]

that post must taken you at least 10 minutes

Re:

[StarfishOne]

No, perhaps 3-4 mins; just a copy+paste on some search results. I don't have to listen to the whole song before posting it here.. (and looking at some songs I'm grateful for that :P).

But if it gives me extra karma, it must have taken me at least half an hour to give the /. crowd these insanely cool suggestions! ;D

Brownian motion authentication

[SpacePunk]

It's only a matter of time till you'll have to dunk both deviced into a cup of tea.

Re:

[lostguru]

you have:
no tea

Re:

[Frnknstn]

>>> get tea

you have:
tea
no tea

Why just shaking?

[dyftm]

Why just limit yourself to shaking, when you could use:

• Sound - put both devices together, speak into both of them at once
• Rhythmic button pressing - hold a device in each hand, tap out a rhythm on the buttons at the same time
• Sound pairing - put devices together, they use their speaker/mic to handshake

IR?

[Midnight Thunder]

Why just limit yourself to shaking, when you could use:

Simpler solutions include a simple IR transmission, since they would have to be line of sight. Truth is there are many technologically simpler solutions that can use existing and are less expensive to implement.

Re:

[Adm.Wiggin]

Sound pairing - put devices together, they use their speaker/mic to handshake

Yeah, 69 style our phones. The only issue might be trying to pair something like a flip-phone with a large smartphone, but that's pretty easy to work out. While this idea is fantastically cool, I don't think I have much problem with the current system. It seems to be working. Obviously we shouldn't stop innovating and coming up with cool new ideas (I really do like your 69 style idea), but I don't think we need to get as excessive as "shaking."

Connection

[hey]

How about plugging them into each other with USB, etc.
They could exchange tokens.
Then future Bluetooth communication would be pretty secure.
Oh wait, that's too sane.

Re:

[stormguard2099]

I thought one of the main points of bluetooth was not having to use a cable? Yes, I realize that you wouldn't have to use the cord all of the time but everytime I've used my bluetooth it has been on a whim and a place where I was not around cords or anything.

Re:

[uhmmmm]

Even better would be Near Field Communication [wikipedia.org]. Just touch the phones together, no cables or anything.

Easily recorded / replayed

[mattr]

Looks cool but I wonder how secure it is.

- A video camera might be used to defeat it
- Beams invisible to the naked eye such as infrared, sonic, or microwave/wlan could be used with reflectors to create a compromised space in which shaken objects' movements could be recorded
- Powered units in motion could induce current/magnetic fields might be detectable
- When upgrading a device your keys are copied by a terminal in the phone company's office or at a kiosk belonging to a private company, presumably, as part

Bluetooth Request GUI

[Doc Ruby]

I'd like to see Bluetooth accommodate a request to connect two phones that are held by people with no preexisting relationship. Like when you see someone cute at a party, you can send a request to their phone, with your picture attached, asking to talk. Maybe attach tags to the request, with some common interests, or some mutual friends. Before you even get their phone#. With an "ignore" button that can also blacklist permanently.

That would work great not only for meeting dates, but also at conventions. Pho

Re:

[Doc Ruby]

"News for Nerds". You don't matter.

Re:

[stormguard2099]

No, bluetooth can't make up for your social ineptitude.

Re:

[Doc Ruby]

My having a private conversation with the hot chick while she fends off oafs like you swarming her makes you inept, not me.

Re:

[rufo]

If the recipient's phone is set to be discoverable, you can beam stuff (most often contact info, but any type of data can work) ala Palm IR, complete with an allow/deny button. Thing is, most of the time you don't have discoverability enabled, and it's usually too inconvenient to dig through five layers of menus to get to the setting. At least with IR you need to point it at the other person's PDA, which acts as an informal permission system.

Re:

[Reaperducer]

Phones could replace the greeting card, and really make social networks work.

Or you could... you know... talk to people. Pretty much the same thing -- you have ten seconds to impart some information that is of interest to the other person and if she doesn't like you, she puts you on "ignore."

It's like socal networking... except that it's actually social.

Re:

[Doc Ruby]

We tried that for a long time, and it had problems. Using the phone doesn't stop you, it just give you another tool. But feel free to stay out of our way. BTW, why are you using Slashdot if that's your attitude?

Re:

[Reaperducer]

Because beautiful women aren't as scary as the average Slashdotter would like to believe. Yes, there are a million jerks out there, but a certain percentage (10-15% in my estimation) are just normal people with the same insecurities as everyone else. Keep trying and you'll find a gorgeous blonde with a hot body that actually likes you for who you are. It worked for me. It just takes persistance. And often a change of geography. That helps a lot.

Re:

[Doc Ruby]

The problem I'm talking about solving isn't that beautiful women are unapproachable. I'm married to one myself, after a long career of getting just a little closer than approaching.

I mentioned the party icebreaker only as one example, and conventions as another. There are limits to smalltalk that keep people from meeting who'd like to talk in depth, but only if there's something in common. Like seeing someone cute on a crowded subway, where striking up a conversation is mostly taboo, but which hasn't been l

Re:

[Moochman]

I think Mobiluck http://www.mobiluck.com/indexnew.php?page=homenew&language=en [mobiluck.com] is trying to implement something similar to your idea.

Etch-A-Sketch security

[rice_burners_suck]

Now all they need to invent is the Etch-A-Sketch phone, PDA, and laptop, where you turn the device upside down and shake it to erase its memory. It'll be only a short time before everyone gets used to the idea of turning your laptop over and shaking it to erase your private browsing information after making an Internet banking transaction.

wiimote

[arazor]

This is useless until I can use it with my Wiimote.

So not the point!

[pablo_max]

This is just one more example that the guys in the Bluetooth SIG do not understand the problems that are really there with Bluetooth. I mean honestly, how many times does anyone pair with a second phone? I would say almost never. 99% of Bluetooth users are using it for headset profile, or to sync their handset to the the computer. We will see much more phone book access profile stuff coming from car kits which enable you to control your phone in a better way, but not phone to phone. I work with Bluetooth for a living, and it can even take me more than an hour to get a Bluetooth stack working properly on a PC. I have heard so many stories that people can get their PC to pair with the headset the first time, but after a reboot, or standby, forget about it. These "interoperability" issues are what holds the tech back. This and the bonding procedure.

Included in the new Zune 3

[xtracto]

Shake and squirt! shake and squirt! to share your load!

Great at Disneyland

[kabdib]

Must be great at an amusement park: You get off the roller-coaster with dozens of new friends.

Let's not contemplate what happens during an earthquake.

[I knew Bluetooth was in deep doo-doo in the late 90s, when I first saw a 900pp book on the protocols involved. Why is it that wireless-specific protocols are all garbage?]

Don't forget...

[gaderael]

... if you shake it more than three times, it's masturbating.

Saw this ages ago...

[jbf]

Someone was demonstrating this for key exchange (though I don't remember if it was Bluetooth) back at WMCSA 2003 in Monterey, and it was published at MobiSys 2005 in Seattle. So how's this news?

New Nightclub hookup trend commig?

[TavisJohn]

Is this going to be a new way to meet a one night stand at a club? Place your phone in your back pocket, and if it pairs with someone, you take them home?

What if your phone pairs with the same gender, and you are not gay? So you become offended, or shake again?

I demand

[bytesex]

Hey ! Where's the 'dontshakemebro' tag ?

Bitterness...

[cowtamer]

http://www.halfbakery.com/idea/Shake_20N_20Bake_20Cryptophone [halfbakery.com]

Sorry, couldn't resist ... :(

Walking

[clenhart]

Imagine if merely walking or running triggers this. Imagine how easy it would be to connect two devices.

Fuck! Quit making things complicated

[flipper9]

Just stop trying to make things more complicated. Enter a 4 or 10 digit, or whatever string of numbers....easy...done! Don't make it more complicated to make a secure connection just "cuz".

A complex problem for a simple solution

[MntlChaos]

So they propose shaking two devices to prove that the synchronization is intentional. Why not just use a tiny plug? It seems like it should be fairly easy to build in a standardized contact surface with a few conductors on it (4 should be enough, looking at something like USB). Then if you want to sync 2 devices, touch them together.