Kevin Finistere and myself gave a Bluetooth Presentation at the 23C3 congress in Berlin. We released a bit of 0day and a bit of protocol bugs and tidbits. See for yourself :) Thanks to everyone who made this possible, and to the CCC for organising the event. I couldn't really participate as a spectator, but I got to see the behind-the-scenes work up close, and I was impressed. The organisation was solid, and the people were friendly and helpful throughout.
Released during 23C3 :
- Bluetooth hacking revisited - The slides
- BTCrack v1.0 -Pin and Link key cracker (Download)
- HIDattack - Attack Bluetooth VNC style (Download @ Collin Mulliner)
- The Remote Root Bluetooth Code by Kevin Finistere
Main message: there are now underlying protocol security issues, not just implementation ones.
Non-discoverable mode no longer offers any real protection. To attack a device, you first need to know it's there. Previously, if a device was non-discoverable, the only option was to brute-force its address (bd_addr) — which is unreliable and takes a very long time.
During this talk I released a method to passively discover 90% of the address and brute-force only the remaining 8 bits. This is reliable and fast.
The only real protection Bluetooth had against unwanted connections to your device is gone.
Also the paradigm shift from toys to workstations is also considerable:
- We can eavedrop on your Laptops Microphone, we can compromise it and take control over it.
- The random number generators and the encryption affected by them is weak.
- New Re-pairing attack, making the pairing attack INTERESTING.
- Your drivers lack control, no update function and are flawed beyhond comprehension
- Live demo on how to take over a PC and get a remote shell over Bluetooth
Key points from the Presentation :
- Pin and Link key recovery is practicaly possible (code release and live demo)
- If you use Bluetooth beyboards or mice, your PC has a HID server, these may be attached to inject commands (!) as if you were typing on the keyboard
- The random numbers used for encryption and so forth may be very weak for your device
- The Pin is not that usefull the Link key is !
- Swap over to Bluetooth 2.1 (as soon as possible) and use "Secure Simply Pairing"
- Regard the quality of the encryption Bluetooth offers (E0) as a PRIVACY feature NOT a security feature. (Compare it to WEP)
- New re-pairing attack : Connect to the master pretending to be from the piconet, use a fake linkkey, master will think (oops lost the pairing) and will re-initiate the pairing given an attacker the choice to capture the exchange and crack it.
- Don't trust encryption taking place, sometimes the devices negotiate Security Mode 2, and you don't know your data is actually transferred in clear text (after being authenticated) and you can't actually check as you don't have a Bluetooth Sniffer.
- The Bluetooth PIN is actually a Bluetooth Passkey, it supports characters not only digits (this has security implications)
- Passively decrypt the traffic
- Connect to the slaves pretending to be the master and have full access (no pin required)
- Connect to the master pretending to be one of the slaves have full access (no pin required)
- Plant the link key on a BT capable machine and have a remote encrypted stealth channel to that machine
- Widcomm, Toshiba, Bluesoil, ALL vulnerable
- Don't rely on Windows update for that, your BT stack may be from a third party vendor (very likely)
- Listening on the Microphone and recording is also possible on PCs (not only cars)
General Recommendations :
- Delete your existing pairings as soon as you don't need them
- Pair in "secure places" SIG recommendation
- As soon as your device asks for a PIN again, don't enter it you might be snooped on (see previously mentioned pairing attack)
- Don't trust Bluetooth 1.0 - 1.2 (can't tell for 2.0-2.1 yet)
Companies using Bluetooth for Industrial purposes :
- Regenerate a new key every 5 minutes, use 16 chars.
Vendors :
- Implement the GUI to use the possibility for bluetooth to use characters (UTF8) NOT ONLY DIGITS.
- Please be more transparent towards your device driver version numbers and propose an easy way to update.


0 comments
Post a Comment