Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bluetooth Wireless Keyboards

from [Nathan Keltner] Network Security [Permanent Link]
Subject: Re: Bluetooth Wireless Keyboards
Date: Mon, 25 Sep 2006 12:48:27 -0500 
The range is not much of an issue.  People have been able to
communicate with bluetooth devices over a mile away with
line-of-sight.  Less intensive modifications of a standard class 2
bluetooth device can increase the range from ~10m to ~200m fairly
easily (and cheaply).

The problem with bluetooth is that there currently is not an easy way
to sniff the traffic.  It's been shown that the encryption
implementations used are incredibly weak, and could be broken in only
a few seconds for most devices if the handshake between the devices is
captured.  (Regardless of how good the encryption is, how hard is it
to iterate through all possible PINs when the standard is 4-digits?)
There's also been talk of how the bluetooth encryption scheme uses
some new algorithms, so there's always the possibility new issues will
rear their heads.

So -- how to capture?

2 ways.  One is to tap the communications before it leaves the
computer and this is what most of the normal bluetooth utilities use.
They'll hook into the relevant processes and dump all commands going
to/from the bluetooth device.  As you would have to have administrator
rights to the machine you're interested in, this obviously isn't an
issue from the scenario you're looking at.

The 2nd way, the way you were hinting at, is to sniff the traffic over
the air.  Currently it is not possible to do this with standard
hardware.  Bluetooth implements all of the baseband/RF level stuff in
the hardware itself, and no one has (publicly) reverse engineered any
of the proprietary firmwares to give us access to that level (if
that's even possible).

Commercial products that will do this do exist and are used by tech
manufacturers (Nokia, Motorola, etc) to test their products, but these
aren't in the reach of your average joe.  One company, FTE, makes a
product that sniffs over-the-air bluetooth, automatically decrypts it,
and performs full packet analysis -- to the tune of just under $10,000
(I believe).  More info on the FTS4BT is here:
http://www.fte.com/blu01.asp .

I would imagine that eventually a group will reverse engineer or build
a custom bluetooth adapter from scratch, and in combination with some
RF gurus will find a way to sniff the stuff straight out of the
baseband.  Until that happens, however, we are mostly immune to this
type of attack due to the cost limitations.

One thing to keep in mind, however -- if you allow your organization
to begin to heavily use bluetooth for things like wireless keyboards,
it's going to be an interesting day when someone at BlackHat releases
a firmware modification that allows us to capture bluetooth traffic
similar to 802.11b/g.

Regards,
N

p.s.  As this is more closely related to wifisecurity, I'm
cross-posting this onto the wifisec list.  You're likely to get more
relevant discussion over there.

On 9/24/06, Kevin white <kwhite@ci.collierville.tn.us> wrote: 
Dear List,

Recently we have discovered that one of the employees in our
organization has purchased a bluetooth keyboard.  Their belief
is that if someone were to sniff their keystrokes they would have to be
within 30 feet.  To quote them...

###
your worried about the unlawful electronic misappropriation and
dissemination of personal information from a very low power use
Bluetooth device with a transmission range with about thirty feet?

Hold on I'm laughing.... Ok, I'm back
###

I am already going to work the policy side of things to get this device
removed given this is a HIPAA and public safety related division. None the
less I am curious, am I being overly paranoid?  I know that
bluetooth snarfing has been done at ranges over a mile and I've searched
all over google for more information on doing a proof of concept on this
myself.  Most of the information seems to deal with cell-phones.  Some
whitepapers or POCs on this would be great.  Heck, even some personal
experiences.  Based on what I saw at Black Hat I am a little less
paranoid since the vendor could be doing something to protect the
keystrokes and BT is somewhat of a strange protocol anyway. I guess I'll
never really know till I go out there with my own BT dongle and capture
some traffic myself, if possible. ;)

Thanks in Advance!

Kevin





------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Bluetooth Wireless Keyboards, Kevin white
Next by Date:  Re: Ethical Hacking online course, mofoe
Previous by Thread:  Re: Bluetooth Wireless Keyboards, Kevin white
Next by Thread:  Re[2]: Bluetooth Wireless Keyboards, Thierry Zoller
Indexes:  [Date] [Thread] [Top] [All Lists]