Two new tools, BTCrack and Hidattack (link to TAR file download), were released today (Friday)
at the 23rd Chaos Communication Congress
in Berlin. They demonstrate serious security vulnerabilities in
Bluetooth at the protocol level. BTCrack permits hacking the pairing of
two Bluetooth devices. Hidattack permits remote, external control of a
wireless Bluetooth keyboard, so that it is possible to make keyboard
entries on the connected computer.
BTCrack builds on a Bluetooth
vulnerability described by Israeli researchers Avishai Wool and
Yaniv Shaked in 2005. This vulnerability means that it is possible to
listen in on the connection between devices connected by short range
radio directly, during pairing and thus crack the encryption system. The
connected devices are tricked into thinking that their counterpart has
forgotten the so-called link key, which is not required for PIN entry.
This kicks off a new pairing process. This offers an attacker the
opportunity to record the required data using a Bluetooth sniffer.
Hidattack exploits the HD server (human interface device) installed
with many Bluetooth keyboards. The program, penned by Colin Mulliner,
by bypassing the PIN request in a similar manner connects to this
little server and can then pretend to be the keyboard. Zoller
elucidated one application possibility for Hidattack – if the keyboard
were in a nearby bank and were connected to a terminal that was visible
using a telescope, it might be possible, for example, to carry out
transactions. In this scenario it would be possible to operate the
terminal almost as if you were sitting right in front of it. The only
thing missing would be the mouse.