Re: Bluetooth: Theft of Link Keys for Fun and Profit?

["milw0rm Inc." <milw0rm () gmail com>]

Nice work KF.

/str0ke

On 8/12/05, Adam Laurie <adam.laurie () thebunker net> wrote:
> KF (lists) wrote:
> > Adam Laurie wrote:
> >
> > > Excuse me? You are skipping over the only important bit of your
> > > "disclosure"!
> >
> >
> > When did I claim this was a "disclosure", this was simply some notes
> > that I have jotted down while messing around with bluetooth link keys. I
> > was not "disclosing" and new vulnerabilities, I am simply documenting
> > how things can be done after you have obtained a link key. I have not
> > seen any documentation on this anywhere so I figured I would create it.
>
> My apologies - I took the posting to "full-disclosure" too literally...
> You are right - background info is also useful for those that are
> starting to get into this (rich) field of research...
>
> > If I could get  some valid non pseudo code to calculate e22 and e21 I
> > would gladly release some of my own.  Apart from generic pseudo code I
> > haven't seen any. Maybe you would like to share yours with the rest of us?
>
> I do not have that code, but I know it exists...
>
> > > Apart from a $10,000 sniffer?
> > Mine was only $1600, sounds like you got ripped off. =]
>
> Heh. No, mine cost me $0.00 :)
>
> > > Please explain - if you're "stealing" a key from a machine you're
> > > running hcid on, then you already own that key anyway, surely?
> >
> >
> >
> > Who said I was stealing it from the machine I am running hcid on?
> >
> > Which would in turn allow a remote attacker to run commands on the
> > machine running hcid.
> >
> > Maybe it would make you feel better if I said I took root on a linux box
> > that I did not own and stole the /etc/blueooth/link_keys file.
> >
> > Or perhaps I stole /var/root/Library/Preferences/blued.plist off an OSX
> > machine.
> >
> > I could have even taken it from \HKLM\SOFTWARE\Widcomm\BtConfig\Devices\
> > on a windows box that I had previously broken into.
>
> Fair point. Leverage one vulnerability to exploit another, and you have
> a useful attack.
>
> > > You could try the "bdaddr" tool in the BlueZ package.
> > Good info! Is that documented somewhere or is it like the Ericsson
> > opcode that was mysteriously left out of the documentation?
>
> AFAIK 'bdaddr -h' and the source are the only docs, but it works with
> all of the dongles I've tried it with (all CSR based). Check with Marcel
> for full capabilities, but I know it supports Ericsson, CSR and Zeevo.
>
> Once again, my apologies if I came across too critical - I really was
> looking at your post from the wrong angle...
>
> cheers,
> Adam
> --
> Adam Laurie                         Tel: +44 (0) 20 7605 7000
> The Bunker Secure Hosting Ltd.      Fax: +44 (0) 20 7605 7099
> Shepherds Building                  http://www.thebunker.net
> Rockley Road
> London W14 0DA                      mailto:adam () thebunker net
> UNITED KINGDOM                      PGP key on keyservers
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/