Penetration Testing mailing list archives
Re: Bluetooth Wireless Keyboards
From: "Nathan Keltner" <shiftnato () gmail com>
Date: Mon, 25 Sep 2006 12:48:27 -0500
The range is not much of an issue. People have been able to communicate with bluetooth devices over a mile away with line-of-sight. Less intensive modifications of a standard class 2 bluetooth device can increase the range from ~10m to ~200m fairly easily (and cheaply). The problem with bluetooth is that there currently is not an easy way to sniff the traffic. It's been shown that the encryption implementations used are incredibly weak, and could be broken in only a few seconds for most devices if the handshake between the devices is captured. (Regardless of how good the encryption is, how hard is it to iterate through all possible PINs when the standard is 4-digits?) There's also been talk of how the bluetooth encryption scheme uses some new algorithms, so there's always the possibility new issues will rear their heads. So -- how to capture? 2 ways. One is to tap the communications before it leaves the computer and this is what most of the normal bluetooth utilities use. They'll hook into the relevant processes and dump all commands going to/from the bluetooth device. As you would have to have administrator rights to the machine you're interested in, this obviously isn't an issue from the scenario you're looking at. The 2nd way, the way you were hinting at, is to sniff the traffic over the air. Currently it is not possible to do this with standard hardware. Bluetooth implements all of the baseband/RF level stuff in the hardware itself, and no one has (publicly) reverse engineered any of the proprietary firmwares to give us access to that level (if that's even possible). Commercial products that will do this do exist and are used by tech manufacturers (Nokia, Motorola, etc) to test their products, but these aren't in the reach of your average joe. One company, FTE, makes a product that sniffs over-the-air bluetooth, automatically decrypts it, and performs full packet analysis -- to the tune of just under $10,000 (I believe). More info on the FTS4BT is here: http://www.fte.com/blu01.asp . I would imagine that eventually a group will reverse engineer or build a custom bluetooth adapter from scratch, and in combination with some RF gurus will find a way to sniff the stuff straight out of the baseband. Until that happens, however, we are mostly immune to this type of attack due to the cost limitations. One thing to keep in mind, however -- if you allow your organization to begin to heavily use bluetooth for things like wireless keyboards, it's going to be an interesting day when someone at BlackHat releases a firmware modification that allows us to capture bluetooth traffic similar to 802.11b/g. Regards, N p.s. As this is more closely related to wifisecurity, I'm cross-posting this onto the wifisec list. You're likely to get more relevant discussion over there. On 9/24/06, Kevin white <kwhite () ci collierville tn us> wrote:
Dear List, Recently we have discovered that one of the employees in our organization has purchased a bluetooth keyboard. Their belief is that if someone were to sniff their keystrokes they would have to be within 30 feet. To quote them... ### your worried about the unlawful electronic misappropriation and dissemination of personal information from a very low power use Bluetooth device with a transmission range with about thirty feet? Hold on I'm laughing.... Ok, I'm back ### I am already going to work the policy side of things to get this device removed given this is a HIPAA and public safety related division. None the less I am curious, am I being overly paranoid? I know that bluetooth snarfing has been done at ranges over a mile and I've searched all over google for more information on doing a proof of concept on this myself. Most of the information seems to deal with cell-phones. Some whitepapers or POCs on this would be great. Heck, even some personal experiences. Based on what I saw at Black Hat I am a little less paranoid since the vendor could be doing something to protect the keystrokes and BT is somewhat of a strange protocol anyway. I guess I'll never really know till I go out there with my own BT dongle and capture some traffic myself, if possible. ;) Thanks in Advance! Kevin
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Bluetooth Wireless Keyboards Kevin white (Sep 24)
- Re: Bluetooth Wireless Keyboards Jarrod Frates (Sep 25)
- Message not available
- Re: Bluetooth Wireless Keyboards Kevin white (Sep 25)
- Re: Bluetooth Wireless Keyboards Nathan Keltner (Sep 25)
- Re[2]: Bluetooth Wireless Keyboards Thierry Zoller (Sep 25)
- Re: Re[2]: Bluetooth Wireless Keyboards Nathan Keltner (Sep 25)
- Re: Bluetooth Wireless Keyboards Collin R. Mulliner (Sep 25)
- Re[2]: Bluetooth Wireless Keyboards Thierry Zoller (Sep 25)
- <Possible follow-ups>
- RE: Bluetooth Wireless Keyboards Butler, Theodore (Sep 25)
- RE: Bluetooth Wireless Keyboards William Woodhams (Sep 25)
- RE: Bluetooth Wireless Keyboards William Woodhams (Sep 25)