Download presentation
Presentation is loading. Please wait.
1
Bluetooth Keyboards: Who Owns Your Keystrokes?
Michael Ossmann ShmooCon 2010
2
I work for the government, but this presentation is based on my own work. Don't blame the government for any of this.
3
Certain commercial equipment, materials, and software are sometimes identified to specify technical aspects of the reported procedures and results. In no case does such identification imply recommendations or endorsement by the U.S. Government, its departments, or its agencies; nor does it imply that the equipment, materials, and software identified are the best available for this purpose.
4
Scope Bluetooth HID profile Mostly keyboards 2003 Bluetooth 1.2 Newer standards unused in keyboards I tested General vulnerabilities
5
Crypto-Gram-0302 Article about importance of authentication
6
“you probably don't want to use Bluetooth for that”
7
Anatomy Power switch Connect button LCD or LED Dongle with connect button Printed BD_ADDR
12
The connect button initiates a “virtual cable” between the dongle and keyboard
Virtual cable != pairing
13
The HID Profile USB/HID over Bluetooth Encryption “support” required for keyboards Not required for mice Not required for hosts
14
HID operates over HCI between host (PC) and dongle.
HID operates over the baseband (air) interface between dongle and device (keyboard)
15
Gr-bluetooth for baseband
GNU Radio USRP/USRP2 USB dongles for HCI BlueZ tools I've tried to focus on assessment methods that can be done by good guys with dongles, but we should assume an attacker has a USRP or even better equipment
16
Boot protocol vs. report protocol
Both from USB HID spec Boot protocol used by BIOS
17
Bluetooth HID boot mode
Boot protocol used Optional USB HID emulation hid2hci Sometimes cleartext operation
18
Spectrogram of waveform captured with gr-bluetooth
19
Wireshark bluetooth baseband (btbb) plugin
Included with gr-bluetooth Dissects baseband (air) interface
20
Btaptap Joshua Wright Included with gr-bluetooth Pulls keystrokes from pcap files (either baseband or HCI)
21
Beware boot mode Avoid it completely if you can Test it if you can't
22
Connect to device
23
Connect to host
24
HID Attack By Collin Mulliner xkbd-bthid hidattack BIOS vs. OS Stuff keystrokes over mouse connection Encryption optional
26
No link key, no service Test your devices to ensure authentication is required
27
How to get BD_ADDR
28
Kismet-BTSCAN By Mike Kershaw Included with Kismet Active scanning Finds discoverable devices (inquiry)
29
Kismet-Bluetooth Included with gr-bluetooth Passive monitor Requires USRP
30
How to get link key
31
Bthidproxy Man in the middle Plain dongles Sniff without a USRP Can add injection
34
Got encryption? Test your devices to ensure they initiate encryption
35
Apple keyboard firmware attack
By K. Chen Black Hat USA 2009
36
Extra PSMs (Protocol Service Multiplexers) on Apple Wireless Keyboard
One is used for firmware updates
37
Firmware update sequence
38
Modified firmware Proof of concept hack: changed the “Service Provider”
39
Pairing attacks Wool & Shaked Cracked PIN and link key 4-digit PIN cracked in 63 ms on Pentium IV
40
BTCrack By Thierry Zoller btpincrack By David Hulton Require: Master BD_ADDR Slave BD_ADDR Other parameters exchanged during pairing Assume master initiates pairing Assume slave has variable PIN
41
Exceptions Slave initiates pairing Swap order of arguments Responder has fixed PIN Slave BD_ADDR not observed Shaked & Wool assume it can be observed by forcing re-connection, but this is not always true Observe LAP Discover UAP Determine NAP Educated guess with BNAP BNAP Active role switch attack Try all NAPs
42
My favorite bug (BTCrack)
PIN: 0000 If nobody else found this bug it is probably because people aren't cracking PINs
46
Only pair in Faraday cage
47
“a clear value-added security benefit to Bluetooth keyboards over existing wireless keyboards” - Bluetooth HID Profile I believe this is true, but it isn't saying much.
48
Future: Baseband injection Bluetooth Low Energy
49
Big thanks: Joshua Wright Dominic Spill Mike Kershaw K. Chen
50
Slides, links, code:
51
Bluetooth Keyboards: Who Owns Your Keystrokes?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.