Three factors limit the spread of Bluetooth hacking
Warnibbling or looking for Bluetooth networks will gain much higher popularity than looking for infrared connections and might one day compete with wardriving in popularity. The tools for Bluetooth network discovery such as Redfang from @Stake and a graphical user interface (GUI) for it (Bluesniff, Shmoo Group) are already available to grab and use and more tools will no doubt follow suit.
Three factors limit the spread of Bluetooth hacking. One is the still limited use of this technology, but that is very likely to change in a few years. Another factor is the limited (if compared to 802.11 LANs) coverage zone. However, Class 1 Bluetooth devices (output transmission power up to 100 mW) such as Bluetooth-enabled laptops and access points can cover a 100-meter radius or greater if high-gain antennas are used. Such networks are de facto WLANs and can be suitable targets for remote cracking. The third factor is the security mechanisms protecting Bluetooth PANs against both snooping and unauthorized connections. So far there are no known attacks circumventing the E0 streaming cipher used to encrypt data on Bluetooth PANs.
However, only time will determine if this proprietary cipher will stand Kerckhoffs's assumption and whether the famous story of the unauthorized Cypherpunks mail list disclosure of the RC4 algorithm structure will not repeat itself again (see Chapter 11 if you find this example confusing). There are already theoretical observations of possible Bluetooth security mechanism weaknesses (see http://www.tcs.hut.fi/~helger/crypto/link/practice/bluetooth.html). Besides, even the best security countermeasure is useless unless it is implemented, and Bluetooth devices are usually set to the first (lowest) security mode out of the three Bluetooth security modes available and have the default of "0000" as the session security PIN. It is also common to use the year of birth or any other meaningful (and guessable) four-digit number as a Bluetooth PIN. This happens for convenience reasons, but the unintended consequence is that it makes the cracker's job much easier. In our observations, about 50 percent of Bluetooth-enabled devices have the default PIN unchanged. There are also devices that have default PINs prewired without any possibility of changing them: all the attacker would have to do is find the list with the default PINs online. Although this provides a great opportunity for the potential attacker, we have yet to meet a real flesh-and-bone "warnibbler" who goes beyond sending prank messages via Bluetooth on the street. At the same time, security breaches of 802.11 networks occur on a daily, if not hourly, basis bringing us back to the main topic: Why and, most important, how they take place.
[Wi Foo, 2004Andrew A. Vladimirov]