23C3 - new hacker tools for Bluetooth
Two new tools, BTCrack and [ http://mulliner.org/bluetooth/hidattack01.tar.gz Hidattack (link to TAR file download)], were released today (Friday) at the 23rd Chaos Communication Congress in Berlin. They demonstrate serious security vulnerabilities in Bluetooth at the protocol level. BTCrack permits hacking the pairing of two Bluetooth devices. Hidattack permits remote, external control of a wireless Bluetooth keyboard, so that it is possible to make keyboard entries on the connected computer.
BTCrack builds on a Bluetooth vulnerability described by Israeli researchers Avishai Wool and Yaniv Shaked in 2005. This vulnerability means that it is possible to listen in on the connection between devices connected by short range radio directly, during pairing and thus crack the encryption system. The connected devices are tricked into thinking that their counterpart has forgotten the so-called link key, which is not required for PIN entry. This kicks off a new pairing process. This offers an attacker the opportunity to record the required data using a Bluetooth sniffer.
Hidattack exploits the HD server (human interface device) installed with many Bluetooth keyboards. The program, penned by Colin Mulliner, by bypassing the PIN request in a similar manner connects to this little server and can then pretend to be the keyboard. Zoller elucidated one application possibility for Hidattack - if the keyboard were in a nearby bank and were connected to a terminal that was visible using a telescope, it might be possible, for example, to carry out transactions. In this scenario it would be possible to operate the terminal almost as if you were sitting right in front of it. The only thing missing would be the mouse.
In contrast to the mainly recognised Bluetooth attacks, such as Bluesnarf or BlueBug, which have been expanding continuously over the last few years, the latest, simple to exploit security vulnerabilities are not errors in implementation, but fundamental communication problems for all devices based on Bluetooth 1.0 or 1.2 specifications. Zoller doubts that second generation Bluetooth devices will be a great improvement. For example, the new specifications contain very unclear specifications for the generation of the random number for the encryption process, described as "very important", so that many implementations could include further serious vulnerabilities.
However, as Zoller explained in his talk at the hacker conference, explotation of these vulnerabilities is limited because an inexpensive, high-performance sniffer to listen in on radio communications for Bluetooth, is not available. Because the technology continuously changes frequency to try and achieve "security by obscurity", commercially available listening devices currently cost around 10,000 US dollars. Even second hand, it's hard to find anything under about 1000 dollars. (Stefan Krempl).