Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Bluetooth Wireless Keyboards
From: "Collin R. Mulliner" <collin () betaversion net>
Date: Tue, 26 Sep 2006 00:06:41 +0200

...there is one other thing to do with bluetooth keyboards or actually
with the desktop pc that is connected to the keyboard. In certain cases
one can hijack the keyboard to take control of the desktop pc. This can
be done if the OS on the desktop pc runs a hid server that accepts
incomming connections. One just needs a special (software) keyboard that
is able to connect to the hid server. This basically provides total
control of the desktop pc, one can for example inject command sequences
or just key-combos like ctrl-alt-del. I have implemented this attack
against and older version of the bluez (linux) hid server about a year
ago, since then the hid server was fixed. I haven't done any in-depth
testing of other OSes.


On Mon, 2006-09-25 at 12:48 -0500, Nathan Keltner wrote:
The range is not much of an issue.  People have been able to
communicate with bluetooth devices over a mile away with
line-of-sight.  Less intensive modifications of a standard class 2
bluetooth device can increase the range from ~10m to ~200m fairly
easily (and cheaply).

The problem with bluetooth is that there currently is not an easy way
to sniff the traffic.  It's been shown that the encryption
implementations used are incredibly weak, and could be broken in only
a few seconds for most devices if the handshake between the devices is
captured.  (Regardless of how good the encryption is, how hard is it
to iterate through all possible PINs when the standard is 4-digits?)
There's also been talk of how the bluetooth encryption scheme uses
some new algorithms, so there's always the possibility new issues will
rear their heads.

So -- how to capture?

2 ways.  One is to tap the communications before it leaves the
computer and this is what most of the normal bluetooth utilities use.
They'll hook into the relevant processes and dump all commands going
to/from the bluetooth device.  As you would have to have administrator
rights to the machine you're interested in, this obviously isn't an
issue from the scenario you're looking at.

The 2nd way, the way you were hinting at, is to sniff the traffic over
the air.  Currently it is not possible to do this with standard
hardware.  Bluetooth implements all of the baseband/RF level stuff in
the hardware itself, and no one has (publicly) reverse engineered any
of the proprietary firmwares to give us access to that level (if
that's even possible).

Commercial products that will do this do exist and are used by tech
manufacturers (Nokia, Motorola, etc) to test their products, but these
aren't in the reach of your average joe.  One company, FTE, makes a
product that sniffs over-the-air bluetooth, automatically decrypts it,
and performs full packet analysis -- to the tune of just under $10,000
(I believe).  More info on the FTS4BT is here:
http://www.fte.com/blu01.asp .

I would imagine that eventually a group will reverse engineer or build
a custom bluetooth adapter from scratch, and in combination with some
RF gurus will find a way to sniff the stuff straight out of the
baseband.  Until that happens, however, we are mostly immune to this
type of attack due to the cost limitations.

One thing to keep in mind, however -- if you allow your organization
to begin to heavily use bluetooth for things like wireless keyboards,
it's going to be an interesting day when someone at BlackHat releases
a firmware modification that allows us to capture bluetooth traffic
similar to 802.11b/g.


p.s.  As this is more closely related to wifisecurity, I'm
cross-posting this onto the wifisec list.  You're likely to get more
relevant discussion over there.

On 9/24/06, Kevin white <kwhite () ci collierville tn us> wrote:
Dear List,

Recently we have discovered that one of the employees in our
organization has purchased a bluetooth keyboard.  Their belief
is that if someone were to sniff their keystrokes they would have to be
within 30 feet.  To quote them...

your worried about the unlawful electronic misappropriation and
dissemination of personal information from a very low power use
Bluetooth device with a transmission range with about thirty feet?

Hold on I'm laughing.... Ok, I'm back

I am already going to work the policy side of things to get this device
removed given this is a HIPAA and public safety related division. None the
less I am curious, am I being overly paranoid?  I know that
bluetooth snarfing has been done at ranges over a mile and I've searched
all over google for more information on doing a proof of concept on this
myself.  Most of the information seems to deal with cell-phones.  Some
whitepapers or POCs on this would be great.  Heck, even some personal
experiences.  Based on what I saw at Black Hat I am a little less
paranoid since the vendor could be doing something to protect the
keystrokes and BT is somewhat of a strange protocol anyway. I guess I'll
never really know till I go out there with my own BT dongle and capture
some traffic myself, if possible. ;)

Thanks in Advance!


Collin R. Mulliner <collin () betaversion net>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin () betaversion net
Privacy in residential applications is a desirable marketing option.
(ETSI EN 300 175-7 Ch. A6)

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]