Log in

View Full Version : Bluetooth Nondiscoverability... Isn't


Janak Parekh
08-12-2003, 10:00 PM
<div class='os_post_top_link'><a href='http://www.newscientist.com/news/news.jsp?id=ns99994041' target='_blank'>http://www.newscientist.com/news/ne...p?id=ns99994041</a><br /><br /></div>It seems that, finally, people are starting to audit Bluetooth's security, and unsurprisingly, there are some weaknesses in the protocol. In particular, the notion of Bluetooth devices being nondiscoverable seems to be a red herring. A security researcher at @stake has written example code that uses Linux's Bluetooth stack to do a brute-force search of Bluetooth nodes by guessing the device's ID. If a device is then open, data could be accessed.<br /><br />That said, I find the article a bit sensationalistic. Most BT-enabled devices come with Bluetooth off, and require a passkey for any form of bonding. From a fundamental standpoint, BT's point-to-point connection mechanisms are theoretically more secure than Wi-Fi. Nevertheless, if you have BT, don't just leave it on and unconfigured. ;)

freitasm
08-12-2003, 10:58 PM
If the radio is on, the device will still poll around for other devices (if Discover other devices is on). this means the device transmits - and any transmission is visible. Nothing new here.

If the device is in non discoverable mode, it only means it'll not answer to requests for ID.

I went to a seminar about mobility, and for curiosity did a scan with my H3970. Found five mobile phones, but none of them accepted a connection.

I read about RedFang a couple of months ago, and didn't even bother with it, because the only thing it does is reveal the MAC address of any Bluetooth device around it. Nothing more (at least for now).

You can see the source code at http://www.securiteam.com/tools/5JP0I1FAAE.html and will notice that the author forced the MAC address to be in a range.

As you said, need owner's authorisation for pairing, then some models will ask for authorisation in every connection attempt, and some will only accept connections from a user-defined list.

I think the company wants to sell services and make the news :?

Anthony Caruana
08-13-2003, 12:42 AM
All that this article really says, IMHO, is that wireless comms, be it BT or WiFi or whatever comes next, are less secure thatn any wireed comms.

Any device that sends data over a wirelss connection can eventually, if the hacker has the tools, patience and expertise, be compromised.

BT is no different. The reality is, that in our connected world that the cost of easier, more pervasive connectivity between devices is that there is more scope for security breaches.

iPaqDude
08-13-2003, 03:15 AM
All that this article really says, IMHO, is that wireless comms, be it BT or WiFi or whatever comes next, are less secure thatn any wireed comms.

Any device that sends data over a wirelss connection can eventually, if the hacker has the tools, patience and expertise, be compromised.

BT is no different. The reality is, that in our connected world that the cost of easier, more pervasive connectivity between devices is that there is more scope for security breaches.

I totaly agree. We have had several audits from key security firms that have lauded our security measures, both wired and wireless. There is no excuse for not taking solid security measures, regardless of the transportation media- and that begins with impressing each of the device users on the importance (and responsibility) of ensuring they take the proper, documented measures.

daS
08-13-2003, 06:30 AM
There's another reason this is not a huge issue: Most Bluetooth devices are designed to give an audible alert when another Bluetooth device attempts to bond with it. Of course, there are exceptions, such as printers, but they are typically designed to be open to anyone anyway.

Besides most people don't even bother to password protect their portable computers, so Bluetooth is the least of their worries. :roll:

freitasm
08-13-2003, 11:37 AM
Better than Red Fang: BlueSniff http://bluesniff.shmoo.com/

racerx
08-13-2003, 04:15 PM
Where this weakness really come into play is with Bluetooth LAN Access Points. If one were wide-open, you could gain access to the LAN just as you can with a Wi-Fi AP. But again, with out the correct pairing code, you could see it but not access it. But since there are only 4 digits to a BT pairing code, at somepoint someone could crack your code with software like this and enough time.

fyiguy
08-13-2003, 07:05 PM
Nothing is 100% secure, just like a building you can secure it with locks, alarms, cameras, etc, but if someone really wants to get in and are skilled enough they can. The key to security is to make it as difficult as possible for some one to gain illegal entry.

For WiFi the most common method of authentication used is MAC addresses to filter valid or invalid users, but this can be cracked in say, about 5 minutes via using almost any scanning hacker tool that can get MAC addresses in use, both on the client side as well as APs. The hacker simply has to run a RegEditor to dig through the HKeyLocal folder to key subolders, from there they can pick the right driver folder for your WiFi card and spoof a valid MAC address and become an authorized user.

Everyone knows that WEP can already be cracked,but takes more time, the simplest way for a hacker is to scan for the WEP key over time with constant monitoring even if a 128bit WEP is used with four rotating key, there are several tools out there that make it pretty easy. This is due to the fact that APs tell the clients what WEP key is in use and that the clients have to transmit the key. Even using a RADIUS server with LEAP can be cracked, with a simple use of MS Chat to challenge clients for their security credentials and for some 'stupid' reason the last 2 characters of the password are transmitted unencrypted using LEAP and a simple dictionary program can brute force its way in. Others think a that a VPN will stop all entry, but a simple 'man in the middle' attack with 2 NICs can be done by finding a user utilizing VPN access,disrupting their signal and inviting them to reconnect spoofing the AP they were connected to. All the traffic then passes through "the man in the middle" to the AP using the WiFi users access. This takes a few moments in time to implement and the "hacker" becomes a secret bridge in the middle of a VPN tunnel.

Basically if there is a will and some skill there is a way...

Sniffers like Iris can reveal alot about a network and the traffic
on it(people are amazed when I demo how insecure their network really is with this utility). So the more steps taken to secure your network the better... Like using a utility called Antisniff(which I believe has been discontinued by @stake)it will catch less experienced users,but won't be a catch for all users probably due to the fact that switched-network traffic isn't visible on all network segments and Antisniff can't detect systems operating a network card in promiscuous mode on other switched segments and more experienced "hackers" are probably aware of this...

Bluetooth has similar problems and more hacking utilities will surface as it begins to spread in popularity,but hopefully new standards in securing BT will appear shortly to tighten it up.

Some good ways to help alert you to promiscuous BT devices is to run TDK BlueAlert program (http://www.tdksystems.com/software/apps/)a PC version only and again shut down your beacon for connectivity and only connect to paired devices. However, Redfang is designed to expose the identification of a Bluetooth device that is configured not to be discoverable. Basically RedFang discovers the BD_ADDR which is the 8 byte long ID of the BT device via a brute force dictionry attack. This would take a good amount of time to perform, but if you know the manufacturer of the device (like a MAC address) it narrows down the number of possibilites to a number of hours. The good thing is that most portable devices aren't usually around or even on for that time period and the fact that a BT connection "should" require authorization(if it is setup properly) before allowing a connection even if the device ID is known.

If you are interested in BT sniffing and hacking there are a great number of utilities out there like Epiphan's CEMyNetwork P2P Edition and Arca Technologies arca|Serialcatcher(for the PC) combined with arca|Wavecatcher you can figure out alot in the BT realm like a detailed decode of HCI, L2CAP, RFCOMM, SDP, TCS and OBEX protocols and generate Bluetooth commands, enabling the user to send and receive data at many different layers in the Bluetooth Protocol Stack as well as simulate the behaviour of several established Bluetooth profiles according to the Bluetooth specification. Some very powerful and relatively expensive tools...

For more info on BT Security head here:

http://www.bluetoothnews.com/features/security.htm

Still having as many security measures in place does reduce you chance of being hacked and I highly recommend using as many as possible and RTFM to learn the most you can about your hardware and how it works.

Just FYI...

hollis_f
08-13-2003, 08:28 PM
But since there are only 4 digits to a BT pairing code, at somepoint someone could crack your code with software like this and enough time.I don't think that 4 digits is a limit or a neccesity. I know the BT on my Nokia 6210 had something like a 10-digit key.