<<< Date Index >>>     <<< Thread Index >>>

23C3 - Bluetooth hacking revisted [Summary and Code]



Dear List,

Kevin Finistere and myself gave a Talk in Berlin 29th on Bluetooth
Hacking, we presented new implementation bugs as well as bugs/problems
deeply buried within the Protocol itself.

This mail to the list should represent a digest for those not able to
attend or able to view the stream.

I would like to express my gratitude to the organisators of 23C3 and
to give me a chance to present (being 2 month to late on deadline)
at the biggest European Hacker convention ever. Thanks.

Lecture :
    * The slides - Bluetooth hacking revisited
      
http://events.ccc.de/congress/2006-mediawiki//images/f/fb/23c3_Bluetooh_revisited.pdf
    * The Video
      http://video.google.de/videoplay?docid=-3912884713197210784&q=23c3

Code :
     * BTCrack v1.0 - Pin and Link key cracker (Download)
       http://www.nruns.com/security_tools.php
     * HIDattack - Attack Bluetooth VNC style (Download @ Collin Mulliner)
       http://www.mulliner.org/bluetooth/hidattack01.tar.gz
     * The Remote Root Bluetooth Code by Kevin Finistere
       http://www.digitalmunition.com


Key points from the Lecture :

    * Pin and Link key recovery is practicaly possible (code release and live 
demo)
    * If you use Bluetooth beyboards or mice, your PC has a HID server, these 
may be attached to inject commands (!) as if you were typing on the keyboard
    * The random numbers used for encryption and so forth may be very weak for 
your device
    * The Pin is not that usefull the Link key is !
          o Things to do once you have the link key:
                + Passively decrypt the traffic
                + Connect to the slaves pretending to be the master and have 
full access (no pin required)
                + Connect to the master pretending to be one of the slaves have 
full access (no pin required)
                + Plant the link key on a BT capable machine and have a remote 
encrypted stealth channel to that machine
    * Update your Drivers !
          o Widcomm, Toshiba, Bluesoil, ALL vulnerable
          o Don't rely on Windows update for that, your BT stack may be from a 
third party vendor (very likely)
          o Listening on the Microphone and recording is also possible on PCs 
(not only cars)
    * Swap over to Bluetooth 2.1 (as soon as possible) and use "Secure Simply 
Pairing"
    * Regard the quality of the encryption Bluetooth offers (E0) as a PRIVACY 
feature NOT a security feature. (Compare it to WEP)
    * New re-pairing attack : Connect to the master pretending to be from the 
piconet, use a fake linkkey, master will think (oops lost the pairing) and will 
re-initiate the pairing given an attacker the choice to capture the exchange 
and crack it.
    * Don't trust encryption taking place, sometimes the devices negotiate 
Security Mode 2, and you don't know your data is actually transferred in clear 
text (after being authenticated) and you can't actually check as you don't have 
a Bluetooth Sniffer.
    * The Bluetooth PIN is actually a Bluetooth Passkey, it supports characters 
not only digits (this has security implications)

General Recommendations :

    * Delete your existing pairings as soon as you don't need them
    * Pair in "secure places" SIG recommendation
    * As soon as your device asks for a PIN again, don't enter it you might be 
snooped on (see previously mentioned pairing attack)
    * Don't trust Bluetooth 1.0 - 1.2 (can't tell for 2.0-2.1 yet)
    * Companies : Mitigate and Monitor.

Companies using Bluetooth for Industrial purposes :

    * Regenerate a new key every 5 minutes, use 16 chars.

Vendors :

    * PLEASE implement the GUI to use the possibility for bluetooth to use 
characters (UTF8) NOT ONLY DIGITS.
    * Please be more transparent towards your device driver version numbers and 
propose an easy way to update.


Credits :
Thierry Zoller  - http://www.nruns.com - http://secdev.zoller.lu
Kevin Finistere - http://www.digitalmunition.com



-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 4813 c403 58f1 1200 7189 a000 7cf1 1200 9f89 a000