From: Collin R. Mulliner (collin@betaversion.net)
Date: Mon Sep 25 2006 - 18:06:41 EDT
...there is one other thing to do with bluetooth keyboards or actually
with the desktop pc that is connected to the keyboard. In certain cases
one can hijack the keyboard to take control of the desktop pc. This can
be done if the OS on the desktop pc runs a hid server that accepts
incomming connections. One just needs a special (software) keyboard that
is able to connect to the hid server. This basically provides total
control of the desktop pc, one can for example inject command sequences
or just key-combos like ctrl-alt-del. I have implemented this attack
against and older version of the bluez (linux) hid server about a year
ago, since then the hid server was fixed. I haven't done any in-depth
testing of other OSes.
Collin
On Mon, 2006-09-25 at 12:48 -0500, Nathan Keltner wrote:
> The range is not much of an issue. People have been able to
> communicate with bluetooth devices over a mile away with
> line-of-sight. Less intensive modifications of a standard class 2
> bluetooth device can increase the range from ~10m to ~200m fairly
> easily (and cheaply).
>
> The problem with bluetooth is that there currently is not an easy way
> to sniff the traffic. It's been shown that the encryption
> implementations used are incredibly weak, and could be broken in only
> a few seconds for most devices if the handshake between the devices is
> captured. (Regardless of how good the encryption is, how hard is it
> to iterate through all possible PINs when the standard is 4-digits?)
> There's also been talk of how the bluetooth encryption scheme uses
> some new algorithms, so there's always the possibility new issues will
> rear their heads.
>
> So -- how to capture?
>
> 2 ways. One is to tap the communications before it leaves the
> computer and this is what most of the normal bluetooth utilities use.
> They'll hook into the relevant processes and dump all commands going
> to/from the bluetooth device. As you would have to have administrator
> rights to the machine you're interested in, this obviously isn't an
> issue from the scenario you're looking at.
>
> The 2nd way, the way you were hinting at, is to sniff the traffic over
> the air. Currently it is not possible to do this with standard
> hardware. Bluetooth implements all of the baseband/RF level stuff in
> the hardware itself, and no one has (publicly) reverse engineered any
> of the proprietary firmwares to give us access to that level (if
> that's even possible).
>
> Commercial products that will do this do exist and are used by tech
> manufacturers (Nokia, Motorola, etc) to test their products, but these
> aren't in the reach of your average joe. One company, FTE, makes a
> product that sniffs over-the-air bluetooth, automatically decrypts it,
> and performs full packet analysis -- to the tune of just under $10,000
> (I believe). More info on the FTS4BT is here:
> http://www.fte.com/blu01.asp .
>
> I would imagine that eventually a group will reverse engineer or build
> a custom bluetooth adapter from scratch, and in combination with some
> RF gurus will find a way to sniff the stuff straight out of the
> baseband. Until that happens, however, we are mostly immune to this
> type of attack due to the cost limitations.
>
> One thing to keep in mind, however -- if you allow your organization
> to begin to heavily use bluetooth for things like wireless keyboards,
> it's going to be an interesting day when someone at BlackHat releases
> a firmware modification that allows us to capture bluetooth traffic
> similar to 802.11b/g.
>
> Regards,
> N
>
> p.s. As this is more closely related to wifisecurity, I'm
> cross-posting this onto the wifisec list. You're likely to get more
> relevant discussion over there.
>
> On 9/24/06, Kevin white <kwhite@ci.collierville.tn.us> wrote:
> > Dear List,
> >
> > Recently we have discovered that one of the employees in our
> > organization has purchased a bluetooth keyboard. Their belief
> > is that if someone were to sniff their keystrokes they would have to be
> > within 30 feet. To quote them...
> >
> > ###
> > your worried about the unlawful electronic misappropriation and
> > dissemination of personal information from a very low power use
> > Bluetooth device with a transmission range with about thirty feet?
> >
> > Hold on I'm laughing.... Ok, I'm back
> > ###
> >
> > I am already going to work the policy side of things to get this device
> > removed given this is a HIPAA and public safety related division. None the
> > less I am curious, am I being overly paranoid? I know that
> > bluetooth snarfing has been done at ranges over a mile and I've searched
> > all over google for more information on doing a proof of concept on this
> > myself. Most of the information seems to deal with cell-phones. Some
> > whitepapers or POCs on this would be great. Heck, even some personal
> > experiences. Based on what I saw at Black Hat I am a little less
> > paranoid since the vendor could be doing something to protect the
> > keystrokes and BT is somewhat of a strange protocol anyway. I guess I'll
> > never really know till I go out there with my own BT dongle and capture
> > some traffic myself, if possible. ;)
> >
> > Thanks in Advance!
> >
> > Kevin
> >
> >
> >
> >
-- Collin R. Mulliner <collin@betaversion.net> BETAVERSiON Systems [www.betaversion.net] info/pgp: finger collin@betaversion.net Privacy in residential applications is a desirable marketing option. (ETSI EN 300 175-7 Ch. A6) ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:01 EDT