New Way To Crack Secure Bluetooth Devices

moon_monkey writes "Cryptographers have discovered a way to hack Bluetooth-enabled devices even when security features are switched on, according to a report from New Scientist.com. The discovery may make it even easier for hackers to eavesdrop on conversations and charge their own calls to someone else's cellphone. From the article: 'Our attack makes it possible to crack every communication between two Bluetooth devices, and not only if it is the first communication between those devices,'"

Show me the code

where are these cryptographers and their code ?
and why isnt this mentioned on Butraq or Full Disclosure ?

Re:Show me the code

[moyix]

Well, here might be a good place to look. The article doesn't actually tell you where to find the research, but it was posted on Schneier's blog this morning.

Cheers,
Brendan

Funny quote

[MyLongNickName]

"Too many people are thinking of security instead of opportunity. They seem more afraid of life than death. -- James F. Byrnes"

At bottom of Slashdot screen :)

Article is missing an important detail

[plover]

By forcing a re-pairing (as stated in the article) does it then rely on the user to re-pair his devices as a manual step? Or does this re-pair process happen in an automated fashion?

If it's a manual step, then it'll require education of the users to not pair their phones in public.

Re:Article is missing an important detail

[wyoung76]

From TFA:

Wool and Shaked have managed to force pairing by pretending to be one of the two devices and sending a message to the other claiming to have forgotten the link key.

So, it's an automatic and remote attack which doesn't rely upon any cooperation from either of the two original Bluetooth devices.

Re:Article is missing an important detail

[Sancho]

The article isn't clear.

They imply that part of the pairing process is inputting the 4 digit PIN. If this is the case, user intervention would be required for re-pairing. Maybe the article wasn't as precise as possible regarding the process, but it distinctly uses the above terminology which, to me, implies manual input.

Perhaps the devices remember the PIN if the link-key is forgotten, thus removing the need for user intervention? That would explain the bit in the article about trying every PIN (a 4-digit PIN seems pretty ridiculously small, regardless).

Re:Article is missing an important detail

[MadRocketScientist]

Digging up their paper, it seems that it is not automatic:

If the attack is successful, the Bluetooth user will need to enter the PIN again - so a suspicious user may realize that his Bluetooth device is under attack and refuse to enter the PIN.

Re:Article is missing an important detail

[plover]

The headsets I'm familiar with have a preset PIN (something like 0000 or 1111) that you have to enter into the phone. But they can't initiate the pairing process -- it has to be driven from the phone side. I suppose it's entirely possible for an attacker who sees you use a headset to set up his device to sniff your headset's ID, then pretend to be that headset with PIN 1111.

Now a headset has only a limited set of functions it can perform -- they can't dial digits without a keypad, so they're usually restricted to voice recognition of pre-programmed names. So unless you wanted to steal a phonecall to my wife or my son, you probably won't find it very useful.

That is, if headsets are restricted to "no dialing, no OBEX, no service discovery". If headsets are allowed to "change" their profile to suddenly support network dialing, keypads, and all that, then you're in big trouble from spoofers without even worrying about cracking the crypto.

Re:Article is missing an important detail

[BranMan]

There are a few things that aren't clear in TFA, but look pretty alarming.

The article mentions a manual process for inputting a 4 digit PIN to seed the pairing process. Then goes on to state that bluetooth devices can send a 'whoops - forgot our secret key. Sorry. Can we pick a new one?' message that is honored without any intervention by, or alerting of, the user(s) involved. Just having that message - without any authentication or encrytion it seems - defeats the entire security process. WTF?

The second thing is the 4 digit PIN - if the 128 bit key is generated from a 4 digit PIN, and done without randomness (how else could both devices arrive at the same key?) - then you have less than 6 bit keys in effect. WTF?

If this article is accurate the bluetooth security protocols were designed by a bunch of frickin' morons.

<rant> Does getting paid to develop security software render people imbeciles??? It sure seems like it does to me. </rant>

man this ain't very good news

[Adult+film+producer]

this fucking depressing, can firmware updates fix these streams of bluetooth hacks? Or is the problem so close to the hardware that nothing but scrapping the device and building from ground-up fix it ?

panic! Fear! Oh no!

[Matey-O]

While the last dowzin times I've paired devices HAVE been on the bus. I've noticed the auto generating pins are now 5 to 8 digits long.

Further, it's extremely rare that I even SEE Another bluetooth device on the bos or train. While the phones may be popular, not a whole lotta people are using bluetooth, it seems.

Additionally, the phones I've got default to a Bluetooth radio-off mode...ya can't see them unless you a) turn them on (v600) or b) are already paired (nokia 9820)

Lastly, at 15 feet, there's not a large number of people around you that can pull this off (except that poindexter across the aisle with the laptop and dish antenna pointed at you)

Now, if you're being shadowed at less than 20 feet by a guy with a BT headset, get worried...or turn off your phone...or ignore it, you've got a blue bajillion minutes anyway.

The Paper: Cracking the Bluetooth PIN

Cracking the Bluetooth PIN


This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the pairing process. We then describe the cracking speed we can achieve through three optimizations methods. Our fastest optimization employs an algebraic representation of a central cryptographic primitive (SAFER+) used in Bluetooth. Our results show that a 4-digit PIN can be cracked in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.

--AS

Finally...

[Mattygfunk1]

...an excuse for my "adult" calls on my phone bills.

__
free funny videos

Re:Finally...

[MyLongNickName]

Does your mom make you do chores until you pay them off? You'd think once you hit 32, she'd stop doing that.

Re:Finally...

[MyLongNickName]

:) Maybe suggest spankings as an alternative correction measure?

(thank goodness for the 'Post Anonymously' option)

Re:Finally...

[Mike+Buddha]

by MyLongNickName (822545) Alter Relationship on 11:40 AM June 3rd, 2005 (#12716491)

(thank goodness for the 'Post Anonymously' option)

Doh!

Re:A fix...

[plover]

Don't use bluetooth! To me it seems very unnessesary to have a bt enabled phone.

Then not only didn't you RTFA, but apparently you haven't used Bluetooth, either. Bluetooth is an extremely useful mechanism for many of us. It lets my PDA get on line; and when I hop in my vehicle, my car stereo magically becomes my car phone whenever it rings.

I just wish more devices were Bluetooth enabled (and that this security hole didn't exist.) As is, I'm not losing sleep over this as I don't have a public-transit commute (the sort of place where breaks seem most likely to happen.)

What about keyboards

The more important issue here is bluetooth keyboards. Can people use this hack to get my password that I'm typing on a wireless keyboard. (Distance issues aside.)

The article doesn't seem to say.

Re:Why, oh why ?

[fuzzybunny]

Nope, most security professionals want to fix bugs. There will always be enough holes in software to make our lives difficult.

Bluetooth in and of itself is a fairly decent protocol for what it was originally designed for (ca. 15m range personal networking). It encounters a lot of limitations in the capabilities of how it is implemented (i.e. static shared PINs, etc.)

And you're mistaken about crazy hackers; I know of quite a few pretty top-end cryptographers still doing good research while employed as pet security bwanas by large banks, IT corporations, etc. Although, I don't know whether you could refer to "job security" when talking about an outfit like IBM research :(

4-digit PIN is the heart of the problem

[G4from128k]

Reading between the lines, it seems that the short nature of the PIN code is a key to the exploit. The attacker forces a re-pairing, listens to the re-pairing exchange, and then tries all possible PIN codes to determine which one is the right one. Because a 4-digit PIN has only 10,000 possibilities, it's easy to brute force it.

A longer alphanumeric PIN might be a first step to making this exploit much less practical -- increasing the PIN search time from a fraction of a second to hours or days.

This looks like another classic example of the fundemental tradeoff between usability and security.

Re:4-digit PIN is the heart of the problem

[nacturation]

You can't brute-force 10,000 combinations with a good hope of succeeding if you only get three tries. Even a 25 second wait after 3 incorrect PINs would make the attack last a full day.

I could be wrong, but my understanding is that you record the negotiation process, during which the unknown PIN is exchanged. You can then go offline and figure out which PIN number would have resulted in the particular set of data exchanged during the negotation. Then, you can go back online, having bruted the correct PIN, and Bob's your uncle.

Re:Why, oh why ?

[cebailey]

Maybe I'm missing a beat here, but TFA says that the communications between Bluetooth devices ARE encrypted...it's simply a Bluetooth device's "heartbeat" that's unencrypted, and it allows for hacking.

Now, if they maybe wanted to use more encryption so the key isn't as breakable, that would be an idea...but it would probably mean more expensive hardware, and longer PINs.

My boss always says security and ease of use are on two opposite ends of a line, and with any system you have to put the 'x' somewhere. Bluetooth chose to plant their 'x' pretty close to the Ease of Use side, which cost them security.

But then again, if I see the little "B" icon on my v600 and my headset's not on my ear, I know SOMETHING's up...

Not such a big threat

[Zarhan]

Ok, before this the attacker could only attack when the target link was forming.

With this, you can force them to re-form at will.

Even so, you still need to bruteforce the PIN. The "PIN" is really a 16-byte field, and is not really limited to numeric (or even alphanumeric) characters.

So what can be done:

1) Start using long PIN codes (if your device is limited to numbers, at least use the maximum length)
2) Software update that notifies user of the "forced re-pairing"
3) Allow users to use PIN's beyond the numeric space or possibility to use some pre-shared secret keys.

This affects those of you who use "1234" or similar keys for pairing process for convenience.

Just take today's story...

[Xaroth]

...add one of these bad boys and shake vigorously.

Mmm... phreaky...

Re:Serious Flaw

[Mike+Buddha]

The device sends its key to anyone claiming to forgot theirs? That is a great design. Why wouldn't it only resend the key if it recognized the ID as something it already paired with? \

RTFA. The hackers device tells the other device that it forgot the key. The pairing is deleted. The user has to re-pair the devices if he wants to use them again. The hacker can listen to that second pairing and use the previously discovered techniques to get the key.

Re:Three words....

[Mike+Buddha]

... and a litany of new security issues. There is no "magic" technology. Get over it.

Re:Serious Flaw

[sPaKr]

It doesn't resend the key. The problem is that an unencrypted easily spoofable message can force the device to renegotiate a new key. This renegotiation is the vulnerable state. Really this just makes the orignal hack easier to preform in that it can happen when at any time instead of initial pairing of the two devices.

Mastercard Comercieal?

[SPY_jmr1]

Curse goodness when you forget use it...

Paper describing the attack

[IcyHando'Death]

The researchers who developed this new attack will be presenting their results in Seattle on Monday, June 6 at MobiSys 2005. Their paper can be viewed at http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys 05/

Mike

Victim can't stop this type of brute force attack

[G4from128k]

You can't brute-force 10,000 combinations with a good hope of succeeding if you only get three tries. Even a 25 second wait after 3 incorrect PINs would make the attack last a full day.

Actually the "brute force" is not done by communication so the victim cannot stall the attack. The brute force attack is entirely computed in software by the attacker's PC. The attacker simulates all 10,000 combinations until he/she gets a match with what was sniffed during listening to the re-pairing processes. The attacker only sends two communications to the victim's device: 1) a "I've lost the PIN, lets re-pair please" message. and 2) a successful here's the valid 128-bit key. Thus, the victim cannot make the attacker wait 25 seconds between tries because the cracking attempts are all done inside the attacker's PC.

That is what makes this attack so evil. The victim only sees one message (if that) and probably thinks "Oh, one of my Bluetooth devices has glitched/crashed and I need to re-enter the PIN." Given the general unreliability of most computing devices these days I bet the victim is not even that surprised/suspicious of the message.