Windows Phone Thoughts - Daily News, Views, Rants and Raves

Check out the hottest Windows Mobile devices at our Expansys store!


Digital Home Thoughts

Loading feed...

Laptop Thoughts

Loading feed...

Android Thoughts

Loading feed...




Go Back   Thoughts Media Forums > WINDOWS PHONE THOUGHTS > Windows Phone News

Reply
 
Thread Tools Display Modes
  #21  
Old 06-30-2005, 07:44 PM
Ekkie Tepsupornchai
Magi
Join Date: Feb 2002
Posts: 2,386

Quote:
Originally Posted by Surur
So, in the keyboard example, you try to use your keyboard, it doesn't work, you pair it again, they hack your pass key, and now they can eavesdrop on every key you type. More dangerous is making phone calls however using your phone. That may even be done by pranksters, who could call MI5/Homeland Security making bomb threats and get your arrested. They would really enjoy that I'm sure.
Got it. So what we're saying is that a BT device can broadcast to multiple receivers if each of those receivers pretend to be the same device, regardless of whether the device is only designed to pair with one device at a time or not. That's the assumption I wasn't capturing.
 
Reply With Quote
  #22  
Old 07-01-2005, 04:41 AM
Jorj Bauer
Server Shogun
Join Date: Jul 2002
Posts: 89

Quote:
Originally Posted by Jason Lee
Yes, but this hack is only possible during the initial pairing process.
Jason, that's not quite true. The encryption key for bluetooth is the PIN plus the Bluetooth address. If you know the key, you can decrypt the traffic stream. Again, back to the bluetooth keyboard I mentioned. And once you know the key, you can inject any packet you like into the conversation, which will at very least close down the existing connection.

Even with 4-digit pins at their best, you wind up with about 13.3 bits of key material -- which is trivial to crack. So I reiterate: there is no security for Bluetooth. Assuming that it has any is a flawed proposition.

Quote:
Originally Posted by Jason Lee
So if the hackers were really smart they would work on a way to get the mac address from one of the devices and spoof that. But that may not be possible as that is only given out after pairing.
The bluetooth address can be retrieved from any active bluetooth device with an Inquiry command. Additionally, the slave address (i.e. for your headset or keyboard) is embedded in the baseband layer protocol of every packet. This part of the packet is not encrypted; only the payload is encrypted.

Quote:
Originally Posted by Jason Lee
Plus your device has to be in discoverable mode before you can even initiate a pairing then be open for the hack.
Not for a denial-of-service attack, or for passive eavesdropping. And there are several proposed mechanisms to force re-pairing of two active (and paired) devices, which can put your device back in the pairing part of the negotiation, opening it up to these attacks.

Yes, I'm a bit paranoid here. But these flaws mean that (current, production) bluetooth keyboards are absolutely insecure, and the best you can hope for with headsets is that hackers don't become interested in them. Enough flaws have come to light that the entire encryption protocol is going to come tumbling down.

-- Jorj
__________________
-- Jorj Bauer
[DejaVu Software, Inc.]
[PhotoBlog]
 
Reply With Quote
  #23  
Old 07-01-2005, 04:43 AM
Jorj Bauer
Server Shogun
Join Date: Jul 2002
Posts: 89

Quote:
Originally Posted by Ekkie Tepsupornchai
I don't believe keyboards would be an issue. AFAIK, keyboards can only be paired to one device at a time. For someone to be able to catch everything you're typing, you would have to be using the keyboard continuously while never raising an eyebrow at the fact that none of the text input is making it to your laptop or PDA.
I'm not suggesting that one would inject keystrokes into your computer -- the point is that one could sniff all of the traffic, without the user's knowledge, and would have a complete account of every keystroke you typed.

-- Jorj
__________________
-- Jorj Bauer
[DejaVu Software, Inc.]
[PhotoBlog]
 
Reply With Quote
  #24  
Old 07-01-2005, 04:49 AM
Jorj Bauer
Server Shogun
Join Date: Jul 2002
Posts: 89

Quote:
Originally Posted by Ekkie Tepsupornchai
My phone needs to be in discoverable mode for a re-pairing to occur...
Now they could rely on you trying to re-pair your devices and use that opportunity to get in, but if you either perform the re-pair in private or if you're paying close enough attention to the two devices you're attempting to pair, I would think you could tell immediately if the pairing happened the way you expected it to.
So let's take an example case. You're on a train, or bus, and you're in the middle of a bluetooth call. Suddenly the line drops. You check your phone to find that the headset is unpaired.

What are you going to do? Re-pair it, of course. (Especially if the "phone" is really a PDA with a known unreliable bluetooth stack. But that's a different argument. :? ) You finish your call. The wily hacker, sitting across the way from you, realizes you're done and *then* hijacks your device, since he's got the PIN from the re-pairing.

Yes, paranoia. Yes, possible. I'll stop ranting now.
__________________
-- Jorj Bauer
[DejaVu Software, Inc.]
[PhotoBlog]
 
Reply With Quote
  #25  
Old 07-01-2005, 04:55 AM
Jorj Bauer
Server Shogun
Join Date: Jul 2002
Posts: 89

Quote:
Originally Posted by johncruise
walk 30 feet away from him/her (whatever the range of your BT signal) then you do your thing.
Assuming they're not using a high-gain antenna to sit farther away and get the same signal, of course.

Quote:
Originally Posted by johncruise
Again... hacking/cracking is "only" possible by eavesdropping on pairing process (read: manual resending of PIN).
Still not quite true. E0 (the encryption protocol for Bluetooth) uses a 128-bit key. There's a key initialization flaw that gives away 24 bits (if I recall correctly). With research done into attacking E0, a modern algebraic attack exists that reduces the keyspace down to 2^49. This is a little bit of work, and may still be somewhat secure. 49 bits is not a lot, though.

But attacking it from the other angle: using a 4-digit PIN plus a known address as the basis for the encryption key gives you only about 13.3 bits of data. 2^14 is crackable in less than a second.

Quote:
Originally Posted by johncruise
Another moral lessons... always go to PocketPCThoughts.com :wink:
Now there's something I can agree with! :wink:
__________________
-- Jorj Bauer
[DejaVu Software, Inc.]
[PhotoBlog]
 
Reply With Quote
  #26  
Old 07-01-2005, 06:43 PM
johncruise
Theorist
Join Date: Sep 2005
Posts: 275
Send a message via MSN to johncruise

Quote:
Originally Posted by Jorj Bauer
Quote:
Originally Posted by johncruise
walk 30 feet away from him/her (whatever the range of your BT signal) then you do your thing.
Assuming they're not using a high-gain antenna to sit farther away and get the same signal, of course.
Ahh... but would only allow that person to "send" data and not receive. His device when using a high gain antenna can reach the other person's BT device BUT the person sending the PIN to his other device would not reach the perpetrators hacking device. :-)
__________________
John Cruz
 
Reply With Quote
  #27  
Old 07-01-2005, 06:58 PM
surur
Mystic
Join Date: Aug 2006
Posts: 1,734

I think you better read this article.

Quote:
1 Kilometer World Record Bluetooth Link?
Posted Jul 30, 2004, 5:59 PM ET by Mike Outmesguine

Bluedriving at extreme range - 1 kilometer file transfer.

The date: Wednesday, July 28th 2004
The time: 12:00 PM PDT
The test: Connect to a low-power Bluetooth cellphone from a distance of 1 kilometer
.
.
.
A typical unmodified cell phone can be reached at a distance of one kilometer by using slightly modified equipment on only one side of the link. Imagine the possibilities with modifications on both ends of the link!

The result: Success!



http://bluetooth.weblogsinc.com/entry/2983435022266434/

Note, the cellphone is completely unmodified.

Surur
 
Reply With Quote
  #28  
Old 07-01-2005, 08:16 PM
Jorj Bauer
Server Shogun
Join Date: Jul 2002
Posts: 89

Quote:
Originally Posted by johncruise
Quote:
Originally Posted by Jorj Bauer
Quote:
Originally Posted by johncruise
walk 30 feet away from him/her (whatever the range of your BT signal) then you do your thing.
Assuming they're not using a high-gain antenna to sit farther away and get the same signal, of course.
Ahh... but would only allow that person to "send" data and not receive. His device when using a high gain antenna can reach the other person's BT device BUT the person sending the PIN to his other device would not reach the perpetrators hacking device. :-)
You're mistaken. Antennas are bidirectional. If what you said were true, satellite dishes would not be able to receive signals from satellites.

I wish that I could give you comforting news about wireless and security, but Surur is right on the mark.
__________________
-- Jorj Bauer
[DejaVu Software, Inc.]
[PhotoBlog]
 
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 05:23 PM.