Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Bluetooth Wireless Keyboards
From: "Jarrod Frates" <jfrates.ml () gmail com>
Date: Mon, 25 Sep 2006 09:50:28 -0700

On 9/24/06, Kevin white <kwhite () ci collierville tn us> wrote:
Recently we have discovered that one of the employees in our
organization has purchased a bluetooth keyboard.  Their belief
is that if someone were to sniff their keystrokes they would have to be
within 30 feet.

Most consumer-grade devices would have difficulty pulling in a
coherent signal at 30 feet.  On that point, the user is mildly
correct.  However, it is not terribly difficult to find Bluetooth
devices with external antennas and correspondingly greater range, and
anyone with a little bit of skill can modify an existing device to
allow for tremendous ranges, as shown here:


Based on what I saw at Black Hat I am a little less
paranoid since the vendor could be doing something to protect the
keystrokes and BT is somewhat of a strange protocol anyway. I guess I'll
never really know till I go out there with my own BT dongle and capture
some traffic myself, if possible. ;)

In a presentation on Bluetooth in March 2006, Joshua Wright (developer
of asleap and some other useful tools) demonstrated a technique he
called Bluepinning.  It was able to crack the PIN used to secure a
connection between Bluetooth devices with astounding ease; as I
recall, a six-digit PIN was broken live in about three minutes on an
800MHz P3 notebook, and it scales at a factor of 10 per digit, i.e., a
seven-digit PIN would take about 30 minutes, an eight-digit PIN about
five hours, etc.  How often is the PIN changed in *your* Bluetooth
devices?  More importantly, on which Bluetooth devices are you even
*able* to change the PIN from its factory setting?

The exploit remains in private hands, but there's no telling whether
someone has been able to duplicate the method.  This, along with
several other aspects of Bluetooth, has made me disable it on
everything that I am assigned at work, and avoid purchasing it
wherever possible, except for additional devices intended to be used
for captures and analysis.

Bluetooth is, IMHO, marginally more secure than some of the old
wireless keyboards, but I wouldn't put one on my desk without a
significant alteration in how encryption is handled.  According to
Joshua, Bluetooth had a design goal of radios that cost $5 to make
them more attractive to consumers by way of lower cost.  Just how much
encryption can you cram in a $5 radio?

Jarrod Frates

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]