Thread-topic: 23C3 - Bluetooth hacking revisted [Summary and Code]
________________________________
От: Thierry Zoller [mailto:Thierry@xxxxxxxxx]
Отправлено: Чт, 04.01.2007 15:44
Кому: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx;
news@xxxxxxxxxxxxxx
Тема: 23C3 - Bluetooth hacking revisted [Summary and Code]
Dear List,
Kevin Finistere and myself gave a Talk in Berlin 29th on Bluetooth
Hacking, we presented new implementation bugs as well as bugs/problems
deeply buried within the Protocol itself.
This mail to the list should represent a digest for those not able to
attend or able to view the stream.
I would like to express my gratitude to the organisators of 23C3 and
to give me a chance to present (being 2 month to late on deadline)
at the biggest European Hacker convention ever. Thanks.
Lecture :
* The slides - Bluetooth hacking revisited
http://events.ccc.de/congress/2006-mediawiki//images/f/fb/23c3_Bluetooh_revisited.pdf
* The Video
http://video.google.de/videoplay?docid=-3912884713197210784&q=23c3
Code :
* BTCrack v1.0 - Pin and Link key cracker (Download)
http://www.nruns.com/security_tools.php
* HIDattack - Attack Bluetooth VNC style (Download @ Collin Mulliner)
http://www.mulliner.org/bluetooth/hidattack01.tar.gz
* The Remote Root Bluetooth Code by Kevin Finistere
http://www.digitalmunition.com <http://www.digitalmunition.com/>
Key points from the Lecture :
* Pin and Link key recovery is practicaly possible (code release and live
demo)
* If you use Bluetooth beyboards or mice, your PC has a HID server, these
may be attached to inject commands (!) as if you were typing on the keyboard
* The random numbers used for encryption and so forth may be very weak for
your device
* The Pin is not that usefull the Link key is !
o Things to do once you have the link key:
+ Passively decrypt the traffic
+ Connect to the slaves pretending to be the master and have
full access (no pin required)
+ Connect to the master pretending to be one of the slaves have
full access (no pin required)
+ Plant the link key on a BT capable machine and have a remote
encrypted stealth channel to that machine
* Update your Drivers !
o Widcomm, Toshiba, Bluesoil, ALL vulnerable
o Don't rely on Windows update for that, your BT stack may be from a
third party vendor (very likely)
o Listening on the Microphone and recording is also possible on PCs
(not only cars)
* Swap over to Bluetooth 2.1 (as soon as possible) and use "Secure Simply
Pairing"
* Regard the quality of the encryption Bluetooth offers (E0) as a PRIVACY
feature NOT a security feature. (Compare it to WEP)
* New re-pairing attack : Connect to the master pretending to be from the
piconet, use a fake linkkey, master will think (oops lost the pairing) and will
re-initiate the pairing given an attacker the choice to capture the exchange
and crack it.
* Don't trust encryption taking place, sometimes the devices negotiate
Security Mode 2, and you don't know your data is actually transferred in clear
text (after being authenticated) and you can't actually check as you don't have
a Bluetooth Sniffer.
* The Bluetooth PIN is actually a Bluetooth Passkey, it supports characters
not only digits (this has security implications)
General Recommendations :
* Delete your existing pairings as soon as you don't need them
* Pair in "secure places" SIG recommendation
* As soon as your device asks for a PIN again, don't enter it you might be
snooped on (see previously mentioned pairing attack)
* Don't trust Bluetooth 1.0 - 1.2 (can't tell for 2.0-2.1 yet)
* Companies : Mitigate and Monitor.
Companies using Bluetooth for Industrial purposes :
* Regenerate a new key every 5 minutes, use 16 chars.
Vendors :
* PLEASE implement the GUI to use the possibility for bluetooth to use
characters (UTF8) NOT ONLY DIGITS.
* Please be more transparent towards your device driver version numbers and
propose an easy way to update.
Credits :
Thierry Zoller - http://www.nruns.com <http://www.nruns.com/> -
http://secdev.zoller.lu <http://secdev.zoller.lu/>
Kevin Finistere - http://www.digitalmunition.com
<http://www.digitalmunition.com/>
--
http://secdev.zoller.lu <http://secdev.zoller.lu/>
Thierry Zoller
Fingerprint : 4813 c403 58f1 1200 7189 a000 7cf1 1200 9f89 a000