BTCrack 0.9a is going ahead nice, optimisations have been done and the final release will be on the Nruns website as promised very soon™ :)

BTCrack 0.9a now spawns 8 threads in order to crack the keys, and this implies that dual-core or quad-core processors are working out very nicely :) A few assembler optimisations are still ahead and the final release should be ready for 23c3.

The general assumption that the attack is theroreticaly possible and that Pins of 6 digits represent a good protection is now pratcticaly refuted.

Here are my current stats on a Dual-Core P4 2Ghz (48000 pins per second)

Pin Time required (seconds)

1234 - 0,25 seconds

12345 - 1,59 seconds

654321 - 16,171 seconds

123456789 - 4851,156 seconds (1,3 hours)

It has been quite some time since I updated this blog, I will try to update the blog in the next weeks, with a few details what I was up to during the last months.

Let's start with the more important stuff, I got into AV Research again =) The output of which will hit the public in the next months, be warned there will be a flood of advisories :D

Together with Sergio Alvarez I gave a talk @ Hack.lu 2007. This year we explained what the heck is up with Anti-Virus software. We revisited the way AV solutions are implemented in current Company networks and AV Engines themselves. Defense in Depth is being misinterpreted and incorrectly implemented with disatrous effects. Customers (end-users of AV Software) believe they do DiD when in reality they do not, this is an important fact to keep in mind.

Rough Break-down of the Talk :

DiD as implemented for Anti Virus Software is broken, companies put one AV engine after the other believing it to be DiD. The worst security incident in such an architecture is being incorrectly defined as "A virus passes the gateway unrecognized" , in reality the worst possible failure is that the underlying Operation System is compromised through the AV Engine, you have to mitigate this.

AV Software is broken behond recognition, they parse enormous amounts of Data in unmanaged programming languanges and such are naturaly prone to errors. This was clear from the start, but the shear amount of bugs is someting else.The reality shows they all are.

AV Software runs directly on critical (with high privileged rights) infrastructure, AV Software runs everywhere

E-mail changes what is at stake: What happens if I sent an exploit targeting AV software as an attachment in an E-mail ? (You can automatically compromise Corporate Mail Servers/Clients/Gateways, from the outside as your email travels through your firewalls untouched. You can view the presentation here, might be interesting to you, I don't think everybody is aware of the impact some findings may have: The Death of AV-Defense in Depth?

A friend and colleague of mine, namely Alexios Fakos has published a Book under the title of Sichere Web Anwendungen, unfortunately it is german only. If you'd like to know how to code hardened Applications I heartly recommend this Book.

A free Chapter of the Book can be found here

Kevin Finistere and
myself gave a Bluetooth Presentation at the 23C3 congress
in Berlin on the 29.12 at 14:00 local time. We released a bit of 0day and a bit of protocol bugs and tidbits. See for yourself :) Thanks to everybody that made this possible also thanks to the CCC for organising this event, while I couldn't really participate as a spectator at least I can judge about the behind the scene work. I was impressed.
The organisation was good and poeple very friendly and helpfull.

Releases during 23C3 :

• Bluetooth hacking revisited - The slides
• BTCrack v1.0 -Pin and Link key cracker (Download)
• HIDattack - Attack Bluetooth VNC style (Download @ Collin Mulliner)
  
• The Remote Root Bluetooth Code by Kevin Finistere

There now are underlying protocol security issues not only pure implementation issues :

What is important to understand is that non-discoverable mode no longer represents a protection. Naturaly before attacking a devicey ou have to know it's there, previosuly you could try to bruteforce the address (bd_addr) in order to find it, if it was in non-discoverable state. This however is a unreliable and takes a very long time.

During this talk i released information on how to PASSIVELY discover 90% of the address and bruteforce the 8-bit remaining. Which is reliable and fast.

THIS means the the only protection Bluetooth has to protect you from connecting to my device is GONE.

Also the paradigm shift from toys to workstations is also considerable:

• We can eavedrop on your Laptops Microphone, we can compromise it and take control over it.
• The random number generators and the encryption affected by them is weak.
• New Re-pairing attack, making the pairing attack INTERESTING.
• Your drivers lack control, no update function and are flawed beyhond comprehension
• Live demo on how to take over a PC and get a remote shell over Bluetooth

Key points from the Lecture :

• Pin and Link key recovery is practicaly possible (code release and live demo)
• If you use Bluetooth beyboards or mice, your PC has a HID server, these may be attached to inject commands (!) as if you were typing on the keyboard
• The random numbers used for encryption and so forth may be very weak for your device
• The Pin is not that usefull the Link key is !
• Swap over to Bluetooth 2.1 (as soon as possible) and use "Secure Simply Pairing"
• Regard the quality of the encryption Bluetooth offers (E0) as a PRIVACY feature NOT a security feature. (Compare it to WEP)
• New re-pairing attack : Connect to the master pretending to be from the piconet, use a fake linkkey, master will think (oops lost the pairing) and will re-initiate the pairing given an attacker the choice to capture the exchange and crack it.
• Don't trust encryption taking place, sometimes the devices negotiate Security Mode 2, and you don't know your data is actually transferred in clear text (after being authenticated) and you can't actually check as you don't have a Bluetooth Sniffer.
• The Bluetooth PIN is actually a Bluetooth Passkey, it supports characters not only digits (this has security implications)

Things to do once you have the link key:

• Passively decrypt the traffic
• Connect to the slaves pretending to be the master and have full access (no pin required)
• Connect to the master pretending to be one of the slaves have full access (no pin required)
• Plant the link key on a BT capable machine and have a remote encrypted stealth channel to that machine

Update your Drivers !

• Widcomm, Toshiba, Bluesoil, ALL vulnerable
• Don't rely on Windows update for that, your BT stack may be from a third party vendor (very likely)
• Listening on the Microphone and recording is also possible on PCs (not only cars)

General Recommendations :

• Delete your existing pairings as soon as you don't need them
• Pair in "secure places" SIG recommendation
• As soon as your device asks for a PIN again, don't enter it you might be snooped on (see previously mentioned pairing attack)
• Don't trust Bluetooth 1.0 - 1.2 (can't tell for 2.0-2.1 yet)

Companies :

• Mitigate and Monitor.

Companies using Bluetooth for Industrial purposes :

• Regenerate a new key every 5 minutes, use 16 chars.
  

Vendors :

• PLEASE implement the GUI to use the possibility for bluetooth to use characters (UTF8) NOT ONLY DIGITS.
• Please be more transparent towards your device driver version numbers and propose an easy way to update.

Hack.lu is over! a nice security conference in Luxembourg. Had a great time, although sometimes organisation was a bit messed ;) Reeaaaallly nice and very interesting poeple, commercial rate was very low and finaly I saw some poeple I knew only virtually in real life.
Well as you knew or not knew, Kevin Finistere and myself gave a talk about Bluetooth security. Yaaaaaaaaaaawwwwwwwwwwnnnnnn ?

I don't believe so :
- Live demo : Remote ROOT shell over Bluetooth on MAC OS 10.3.9 / 10.4 (and source code release)- Live demo : Presenting BTCrack, Bluetooth PIN and Linkkey cracker Will be released on Nruns.com complete with source code in a few weeks!- Clearing the Air about Inqtana (The PoC Worm Kevin created)- FUD reduced to a minimum. What's a threat, what isn't.- Download our Slides from Hack.lu
See you next year !