Penetration Testing mailing list archives
Re: Bluetooth Wireless Keyboards
From: "Jarrod Frates" <jfrates.ml () gmail com>
Date: Mon, 25 Sep 2006 09:50:28 -0700
On 9/24/06, Kevin white <kwhite () ci collierville tn us> wrote:
Recently we have discovered that one of the employees in our organization has purchased a bluetooth keyboard. Their belief is that if someone were to sniff their keystrokes they would have to be within 30 feet.
Most consumer-grade devices would have difficulty pulling in a coherent signal at 30 feet. On that point, the user is mildly correct. However, it is not terribly difficult to find Bluetooth devices with external antennas and correspondingly greater range, and anyone with a little bit of skill can modify an existing device to allow for tremendous ranges, as shown here: http://www.pentest.co.uk/documents/bt_dongle_mod/bt_dongle_mod.html
Based on what I saw at Black Hat I am a little less paranoid since the vendor could be doing something to protect the keystrokes and BT is somewhat of a strange protocol anyway. I guess I'll never really know till I go out there with my own BT dongle and capture some traffic myself, if possible. ;)
In a presentation on Bluetooth in March 2006, Joshua Wright (developer of asleap and some other useful tools) demonstrated a technique he called Bluepinning. It was able to crack the PIN used to secure a connection between Bluetooth devices with astounding ease; as I recall, a six-digit PIN was broken live in about three minutes on an 800MHz P3 notebook, and it scales at a factor of 10 per digit, i.e., a seven-digit PIN would take about 30 minutes, an eight-digit PIN about five hours, etc. How often is the PIN changed in *your* Bluetooth devices? More importantly, on which Bluetooth devices are you even *able* to change the PIN from its factory setting? The exploit remains in private hands, but there's no telling whether someone has been able to duplicate the method. This, along with several other aspects of Bluetooth, has made me disable it on everything that I am assigned at work, and avoid purchasing it wherever possible, except for additional devices intended to be used for captures and analysis. Bluetooth is, IMHO, marginally more secure than some of the old wireless keyboards, but I wouldn't put one on my desk without a significant alteration in how encryption is handled. According to Joshua, Bluetooth had a design goal of radios that cost $5 to make them more attractive to consumers by way of lower cost. Just how much encryption can you cram in a $5 radio? ---- Jarrod Frates GAWN ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Bluetooth Wireless Keyboards Kevin white (Sep 24)
- Re: Bluetooth Wireless Keyboards Jarrod Frates (Sep 25)
- Message not available
- Re: Bluetooth Wireless Keyboards Kevin white (Sep 25)
- Re: Bluetooth Wireless Keyboards Nathan Keltner (Sep 25)
- Re[2]: Bluetooth Wireless Keyboards Thierry Zoller (Sep 25)
- Re: Re[2]: Bluetooth Wireless Keyboards Nathan Keltner (Sep 25)
- Re: Bluetooth Wireless Keyboards Collin R. Mulliner (Sep 25)
- Re[2]: Bluetooth Wireless Keyboards Thierry Zoller (Sep 25)
- <Possible follow-ups>
- RE: Bluetooth Wireless Keyboards Butler, Theodore (Sep 25)
- RE: Bluetooth Wireless Keyboards William Woodhams (Sep 25)
- RE: Bluetooth Wireless Keyboards William Woodhams (Sep 25)