luetooth, a wireless connectivity standard used in millions of mobile devices around the world, needs to make some improvements in its security. In June 2005, two Israeli researchers pointed out a flaw in the technology.

Dr. Avishai Wool and Mr. Yaniv Shaked of Tel Aviv University demonstrated at a Seattle technology conference that information transmitted between Bluetooth-enabled devices can be intercepted rather easily.

The flaw lies in what's known as the pairing process. Before the two Bluetooth-enabled devices can talk to each other, they must share an encrypted code, according to Bruce Schneier, Chief Technology Officer at Counterpane Internet Security Inc., a provider of managed security services.

"Pairing is an important part of Bluetooth," Schneier said. "It's how two devices ... associate themselves with one another. They generate a shared secret that they use for all future communication.

"Pairing is why, when on a crowded subway, your Bluetooth devices don't link up with all the other Bluetooth devices carried by everyone else."

Pairing, though, is only supposed to happen once. Wool and Shaked have found a way to trick the devices into pairing at any given time, so that someone who taps into the pairing process can access the encrypted codes and intercept information. "According to the Bluetooth specification, PINs can be 8 to 128 bits long," Schneier said. "Unfortunately, most manufacturers have standardized on a four decimal-digit PIN." A computer can go through all possible four-number combinations in less than a second. All a hacker needs is this PIN.

Bluetooth is being used in the payments industry. For example, both ExaDigm Inc. and Ingenico Corp. offer Bluetooth-enabled POS payment terminals. Rolf Engstrom, Senior Vice President of Technology and Development at ExaDigm, said that this security flaw will not affect payment information sent with its Bluetooth-enabled terminals. "With anything sent out, someone can [always] watch the data. All information is SSL-encrypted. Let them intercept the data; they can't do anything with it," he said.