[Full-disclosure] Bluetooth: Theft of Link Keys for Fun and Profit?
milw0rm at gmail.com
Fri Aug 12 19:42:19 BST 2005
Nice work KF.
On 8/12/05, Adam Laurie <adam.laurie at thebunker.net> wrote:
> KF (lists) wrote:
> > Adam Laurie wrote:
> >> Excuse me? You are skipping over the only important bit of your
> >> "disclosure"!
> > When did I claim this was a "disclosure", this was simply some notes
> > that I have jotted down while messing around with bluetooth link keys. I
> > was not "disclosing" and new vulnerabilities, I am simply documenting
> > how things can be done after you have obtained a link key. I have not
> > seen any documentation on this anywhere so I figured I would create it.
> My apologies - I took the posting to "full-disclosure" too literally...
> You are right - background info is also useful for those that are
> starting to get into this (rich) field of research...
> > If I could get some valid non pseudo code to calculate e22 and e21 I
> > would gladly release some of my own. Apart from generic pseudo code I
> > haven't seen any. Maybe you would like to share yours with the rest of us?
> I do not have that code, but I know it exists...
> >> Apart from a $10,000 sniffer?
> > Mine was only $1600, sounds like you got ripped off. =]
> Heh. No, mine cost me $0.00 :)
> >> Please explain - if you're "stealing" a key from a machine you're
> >> running hcid on, then you already own that key anyway, surely?
> > Who said I was stealing it from the machine I am running hcid on?
> > Which would in turn allow a remote attacker to run commands on the
> > machine running hcid.
> > Maybe it would make you feel better if I said I took root on a linux box
> > that I did not own and stole the /etc/blueooth/link_keys file.
> > Or perhaps I stole /var/root/Library/Preferences/blued.plist off an OSX
> > machine.
> > I could have even taken it from \HKLM\SOFTWARE\Widcomm\BtConfig\Devices\
> > on a windows box that I had previously broken into.
> Fair point. Leverage one vulnerability to exploit another, and you have
> a useful attack.
> >> You could try the "bdaddr" tool in the BlueZ package.
> > Good info! Is that documented somewhere or is it like the Ericsson
> > opcode that was mysteriously left out of the documentation?
> AFAIK 'bdaddr -h' and the source are the only docs, but it works with
> all of the dongles I've tried it with (all CSR based). Check with Marcel
> for full capabilities, but I know it supports Ericsson, CSR and Zeevo.
> Once again, my apologies if I came across too critical - I really was
> looking at your post from the wrong angle...
> Adam Laurie Tel: +44 (0) 20 7605 7000
> The Bunker Secure Hosting Ltd. Fax: +44 (0) 20 7605 7099
> Shepherds Building http://www.thebunker.net
> Rockley Road
> London W14 0DA mailto:adam at thebunker.net
> UNITED KINGDOM PGP key on keyservers
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.