Bluetooth Pin And Link Keys Cracker
Shay Silvertooth
According to the Bluetooth specification, PINs can be 8-128 bits long. Unfortunately, most manufacturers have standardized on a four decimal-digit PIN. This attack can crack that 4-digit PIN in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.
One must wonder what the endgame is. It always seems to be convenience over security that wins. Until it is the other way around there should be no big surprises that anything wireless is likely to be broken and disclosed. At least with disclosure we can pretend to know what is going on. The real scary stuff is what is running around right in front of us that goes on unnoticed by most.
Forcing re-pairing by injecting traffic will cause the devices to prompt the user for a PIN again. If this keeps happening a lot, an alert user will realise that something is up. Of course, that relies on having an alert user. ?
A quick look at reveals that bluetooth is used in everything from phones to printers to medical equipment. Someone grabbing the pin to and linking up with a bluetooth heartmonitor will have a different agenda than someone hacking your phone. My question is: is there anyway to determine how much control an attacker will have over a device by only knowing what the device does? Is a bluetooth attack like this an all-or-nothing proposition? If you break a bluetooth system, do you control it, or is bluetooth communication/control typically limited to only certain features of the device?
Personally I think we would have reason to be concerned if Bluetooth were found to be incapable of being reasonably secured, or that it falsely advertised security. Are either of those that the case here? So far, I only hear that Bluetooth is susceptible to weak implementation and improper use, both of which are hardly a surprise.
Anyone know what/why the PIN was allowed to be so weak, let alone 0000 by default on so many systems? Was it just simple convenience, since some Bluetooth devices probably were thought to have no need whatsoever to prevent a bond? Or was it because of mitigating controls?
Davi appears to be either a PR flack or someone who likes to accuse others of being divorced from reality by way of being in denial. (People who remember the glory days of news groups will spot this type easily.)
I observe that my car (useful life 10+ years) is now talking BT to my Treo phone/pda (lifetime 2-3 years). Can I expect Acura to keep security up to date? This will be a problem as more durable equipment gets connected.
Security does not exist in a vacuum. It requires trade-offs, and all security controls are in some manner flawed. The spec calls for stronger controls, but vendors/manufacturers clearly choose not to implement them. So you are merely pointing out, again, that users are affected by a weak implementation, not the spec.
Again, I do not see the flaw in the spec unless we (as security commentators) are deciding that society as a whole has no need whatsoever for a weak Bluetooth PIN. Personally I do not see the need for a 0000 PIN, let alone four instead of eight case-sensitive alphanumerics, but that does not mean I am ready to throw out the baby with the bathwater. I will just be careful as a consumer to weigh the risks and chose products carefully.
While an intro is obviously a distillation of the spec, you are correct to be wary of perspective. However, if you are virulently against commerical sources then many intros are also available from academic and non-commercial settings if you search for them (try site:edu or even site:gov if you prefer)
I think this all comes back to the fact that the paper cited by Bruce is more an academic treatment of a well known risk, perhaps to get a more accurate estimate, than a fresh discovery. Even Bruce was asking for some real data to quantify the impact, and so far we are still just discussing the theoretical issues.
I still do not see any Bluetooth claim that the conditions tested in the paper were meant to be strong or secure. Quite the contrary there are well documented warnings that public pairing may be forced and that PINs are insufficiently secure. So at the end of the day we have a paper proving a point (that Bluetooth was already making) about the need for more secure implementations, per the spec.
Many headsets and GPS receivers can only use 0000 as the PIN. So when these devices have been paired with my PDA, one knows at least one PIN for that PDA and I presume the Bluetooth device address can easily be monitored.
What then can be done with that info? Is my PDA compromised because of that 0000 pairing? Can one indeed enter my PDA when I stopped using my headset? Can one call through my PDA? Can one get my stored password from the PDA?
I am a public-interest technologist, working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc. This personal website expresses the opinions of none of those organizations.
In order to use the keyboard, you first have to install an app, which could be downloaded over-the-air. Once you have this, just pair the device via bluetooth as you would any device. When you have both devices paired, you're ready to go. The first time you use it you have to manually connect it by launching the app you installed. You then have the option to have the BlackBerry automatically connect to the keyboard whenever you turn the keyboard on. I have mine set to auto connect and the speed at which the two devices connects varies upon each use. Sometimes they would connect instantly after turning both my Bluetooth and the keyboard on. Other times it would take a little longer to connect. There were times when it got even more frustrating and would not connect so I had to go in and connect manually. However, after testing it out on another BlackBerry device (_Storm2_ -storm-2) I found that this was not the case. So, it could just be an issue with the Torch. After contacting support they told me this should be the case but couldn't offer a solution. It seems other Torch users have had this problem too. Let's hope a future update could fix this.
There are a number of shortcut keys available on the keyboard that allow you to launch apps on your BlackBerry device without having to actually touch your BlackBerry. There are the SK keys that will work just like the BlackBerry button, select key and back key and convenience keys. You can define 12 shortcuts to launch your favourite applications which can be set through the Freedom Pro app. Down the left side of the keyboard you have 6 dedicated shortcut keys for: Messages, Contacts, Tasks, Calendar, Answer call and End call. There are also default shortcuts to load the Browser, control media, volume and go back to the Home screen. This makes things a lot more convenient, giving you quite a lot of control from the keyboard.
The keyboard has 75 full sized keys arranged on 5 rows. It comes with a detachable device stand which can be adjusted by height, which is foldable to tuck away nicely into the keyboard for storage. The device stand feels sturdy and has rubber panels so your device does not slip off. The keyboard itself feels quite solid. The keys have enough travel in them and don't feel flimsy. There's also a lock so that it does not fold while you're using it. Not that it will if it's sitting on a table but the option is there. It comes with a leather pouch for when you need to store it in when travelling around which is a nice bonus. It is powered by two AAA batteries that come included. I haven't had to change them yet, with constant use for a month or so. There are even four small rubber stands on the outside of the keyboard for stability while using the keyboard and so your keyboard doesn't get scratched by the surface.
My overall thoughts on the Freedom Pro Bluetooth Keyboard are positive. It served me well for the purpose I needed if for. Basically does what it says on the box. The 12 definable shortcut keys are an awesome bonus but remembering what app is assigned to what number can take a while to get used to. If you use them often enough, of course this wouldn't matter. Due to it's full-sized keys however some may see the keyboard as a bit too big, especially compared to other Bluetooth keyboards in the market but if you're looking for a reliable keyboard that gives you the best typing experience I would recommend getting one. Definitely allows you to get a lot more done than using your BlackBerry keyboard alone.
According to the official website, Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
The latest version is faster and contains a lot of new features like APR (ARP Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.
Cain & Abel is a tool that will be quite useful for network administrators, teachers, professional penetration testers, security consultants/professionals, forensic staff and security software vendors.
7fc3f7cf58