Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bluetooth Keyboards: Who Owns Your Keystrokes?

Published by峡哀 章 Modified over 7 years ago

Similar presentations

Presentation on theme: "Bluetooth Keyboards: Who Owns Your Keystrokes?"— Presentation transcript:

1 Bluetooth Keyboards: Who Owns Your Keystrokes?
Michael Ossmann ShmooCon 2010

2 I work for the government, but this presentation is based on my own work. Don't blame the government for any of this.

3 Certain commercial equipment, materials, and software are sometimes identified to specify technical aspects of the reported procedures and results. In no case does such identification imply recommendations or endorsement by the U.S. Government, its departments, or its agencies; nor does it imply that the equipment, materials, and software identified are the best available for this purpose.

4 Scope Bluetooth HID profile Mostly keyboards 2003 Bluetooth 1.2 Newer standards unused in keyboards I tested General vulnerabilities

5 Crypto-Gram-0302 Article about importance of authentication

6 “you probably don't want to use Bluetooth for that”

7 Anatomy Power switch Connect button LCD or LED Dongle with connect button Printed BD_ADDR

8

9

10

11

12 The connect button initiates a “virtual cable” between the dongle and keyboard
Virtual cable != pairing

13 The HID Profile USB/HID over Bluetooth Encryption “support” required for keyboards Not required for mice Not required for hosts

14 HID operates over HCI between host (PC) and dongle.
HID operates over the baseband (air) interface between dongle and device (keyboard)

15 Gr-bluetooth for baseband
GNU Radio USRP/USRP2 USB dongles for HCI BlueZ tools I've tried to focus on assessment methods that can be done by good guys with dongles, but we should assume an attacker has a USRP or even better equipment

16 Boot protocol vs. report protocol
Both from USB HID spec Boot protocol used by BIOS

17 Bluetooth HID boot mode
Boot protocol used Optional USB HID emulation hid2hci Sometimes cleartext operation

18 Spectrogram of waveform captured with gr-bluetooth

19 Wireshark bluetooth baseband (btbb) plugin
Included with gr-bluetooth Dissects baseband (air) interface

20 Btaptap Joshua Wright Included with gr-bluetooth Pulls keystrokes from pcap files (either baseband or HCI)

21 Beware boot mode Avoid it completely if you can Test it if you can't

22 Connect to device

23 Connect to host

24 HID Attack By Collin Mulliner xkbd-bthid hidattack BIOS vs. OS Stuff keystrokes over mouse connection Encryption optional

25

26 No link key, no service Test your devices to ensure authentication is required

27 How to get BD_ADDR

28 Kismet-BTSCAN By Mike Kershaw Included with Kismet Active scanning Finds discoverable devices (inquiry)

29 Kismet-Bluetooth Included with gr-bluetooth Passive monitor Requires USRP

30 How to get link key

31 Bthidproxy Man in the middle Plain dongles Sniff without a USRP Can add injection

32

33

34 Got encryption? Test your devices to ensure they initiate encryption

35 Apple keyboard firmware attack
By K. Chen Black Hat USA 2009

36 Extra PSMs (Protocol Service Multiplexers) on Apple Wireless Keyboard
One is used for firmware updates

37 Firmware update sequence

38 Modified firmware Proof of concept hack: changed the “Service Provider”

39 Pairing attacks Wool & Shaked Cracked PIN and link key 4-digit PIN cracked in 63 ms on Pentium IV

40 BTCrack By Thierry Zoller btpincrack By David Hulton Require: Master BD_ADDR Slave BD_ADDR Other parameters exchanged during pairing Assume master initiates pairing Assume slave has variable PIN

41 Exceptions Slave initiates pairing Swap order of arguments Responder has fixed PIN Slave BD_ADDR not observed Shaked & Wool assume it can be observed by forcing re-connection, but this is not always true Observe LAP Discover UAP Determine NAP Educated guess with BNAP BNAP Active role switch attack Try all NAPs

42 My favorite bug (BTCrack)
PIN: 0000 If nobody else found this bug it is probably because people aren't cracking PINs

43

44

45

46 Only pair in Faraday cage

47 “a clear value-added security benefit to Bluetooth keyboards over existing wireless keyboards” - Bluetooth HID Profile I believe this is true, but it isn't saying much.

48 Future: Baseband injection Bluetooth Low Energy

49 Big thanks: Joshua Wright Dominic Spill Mike Kershaw K. Chen

50 Slides, links, code:

51 Bluetooth Keyboards: Who Owns Your Keystrokes?

Download ppt "Bluetooth Keyboards: Who Owns Your Keystrokes?"

Similar presentations

Introduction to Bluetooth®

Introduction to Bluetooth®
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Mohamed Mokdad Ecole d’Ingénieurs de Bienne

Mohamed Mokdad Ecole d’Ingénieurs de Bienne
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless & Network Security Lecture 10:

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless & Network Security Lecture 10:
MIS 5212.001 Week 11 Site:

MIS Week 11 Site:
RFID Review / Bluetooth ENGR 475 – Telecommunications Harding University December 5, 2006 Jonathan White.

RFID Review / Bluetooth ENGR 475 – Telecommunications Harding University December 5, 2006 Jonathan White.
How secure is Darren Adams, Kyle Coble, and Lakshmi Kasoji.

How secure is Darren Adams, Kyle Coble, and Lakshmi Kasoji.
Hacking the Bluetooth Pairing Authentication Process Graduate Operating System Mini Project Siyuan Jiang and Haipeng Cai.

Hacking the Bluetooth Pairing Authentication Process Graduate Operating System Mini Project Siyuan Jiang and Haipeng Cai.
Graduate Operating Systems Mini-Project: Hacking Bluetooth In Linux Alan Joseph J Caceres.

Graduate Operating Systems Mini-Project: Hacking Bluetooth In Linux Alan Joseph J Caceres.
“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.

“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Multimedia & Communications ATMEL Bluetooth Background information on Bluetooth technology ATMEL implementation of Bluetooth spec.

Multimedia & Communications ATMEL Bluetooth Background information on Bluetooth technology ATMEL implementation of Bluetooth spec.
INTRODUCTION Bluetooth technology is code name for Personal Area Network (PAN) technology that makes it extremely easy to connect a mobile, computing device.

INTRODUCTION Bluetooth technology is code name for Personal Area Network (PAN) technology that makes it extremely easy to connect a mobile, computing device.
Late September…ToorCon X Bluetooth Device Discovery Bruce Potter Bob Fleck.

Late September…ToorCon X Bluetooth Device Discovery Bruce Potter Bob Fleck.
By Santosh Sam Koshy. Agenda Need for Bluetooth Brief History of Bluetooth Introduction to Bluetooth Bluetooth System Specifications Commercial Bluetooth.

By Santosh Sam Koshy. Agenda Need for Bluetooth Brief History of Bluetooth Introduction to Bluetooth Bluetooth System Specifications Commercial Bluetooth.
DIUF, 20. 03. 2003Seminar in Telecommunications, M. Hayoz The Bluetooth TM wireless technology A brief overview.

DIUF, Seminar in Telecommunications, M. Hayoz The Bluetooth TM wireless technology A brief overview.
Bluetooth Presented by Venkateshwar R Gotur CMPT - 320.

Bluetooth Presented by Venkateshwar R Gotur CMPT
1 C-DAC/Kolkata C-DAC All Rights Reserved www.cdackolkata.in Computer Security.

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Wii mote interfacing. The product It is a wireless device, using standard Bluetooth technology to communicate The Wii Remote uses the standard Bluetooth.

Wii mote interfacing. The product It is a wireless device, using standard Bluetooth technology to communicate The Wii Remote uses the standard Bluetooth.
Wireless Networks Instructor: Fatima Naseem Computer Engineering Department, University of Engineering and Technology, Taxila.

Wireless Networks Instructor: Fatima Naseem Computer Engineering Department, University of Engineering and Technology, Taxila.

Similar presentations

Ads by Google