Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: Bluetooth: Theft of Link Keys for Fun and Profit?

Re: Bluetooth: Theft of Link Keys for Fun and Profit?

From: Adam Laurie <adam.laurie_at_thebunker.net>
Date: Fri, 12 Aug 2005 19:33:25 +0100

KF (lists) wrote:
> Adam Laurie wrote:
>
>>
>> Excuse me? You are skipping over the only important bit of your
>> "disclosure"!
>
>
> When did I claim this was a "disclosure", this was simply some notes
> that I have jotted down while messing around with bluetooth link keys. I
> was not "disclosing" and new vulnerabilities, I am simply documenting
> how things can be done after you have obtained a link key. I have not
> seen any documentation on this anywhere so I figured I would create it.

My apologies - I took the posting to "full-disclosure" too literally...
You are right - background info is also useful for those that are
starting to get into this (rich) field of research...

> If I could get some valid non pseudo code to calculate e22 and e21 I
> would gladly release some of my own. Apart from generic pseudo code I
> haven't seen any. Maybe you would like to share yours with the rest of us?

I do not have that code, but I know it exists...

>
>> Apart from a $10,000 sniffer?
>>
> Mine was only $1600, sounds like you got ripped off. =]

Heh. No, mine cost me $0.00 :)

>> Please explain - if you're "stealing" a key from a machine you're
>> running hcid on, then you already own that key anyway, surely?
>
>
>
> Who said I was stealing it from the machine I am running hcid on?
>
> Which would in turn allow a remote attacker to run commands on the
> machine running hcid.
>
> Maybe it would make you feel better if I said I took root on a linux box
> that I did not own and stole the /etc/blueooth/link_keys file.
>
> Or perhaps I stole /var/root/Library/Preferences/blued.plist off an OSX
> machine.
>
> I could have even taken it from \HKLM\SOFTWARE\Widcomm\BtConfig\Devices\
> on a windows box that I had previously broken into.
>

Fair point. Leverage one vulnerability to exploit another, and you have
a useful attack.

>>
>>
>> You could try the "bdaddr" tool in the BlueZ package.
>>
> Good info! Is that documented somewhere or is it like the Ericsson
> opcode that was mysteriously left out of the documentation?

AFAIK 'bdaddr -h' and the source are the only docs, but it works with
all of the dongles I've tried it with (all CSR based). Check with Marcel
for full capabilities, but I know it supports Ericsson, CSR and Zeevo.

Once again, my apologies if I came across too critical - I really was
looking at your post from the wrong angle...

cheers,
Adam 

-- 
Adam Laurie                         Tel: +44 (0) 20 7605 7000
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 20 7605 7099
Shepherds Building                  http://www.thebunker.net
Rockley Road
London W14 0DA                      mailto:adam_at_thebunker.net
UNITED KINGDOM                      PGP key on keyservers
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Aug 12 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]