| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Aug 12 19:35:33 2005 From: adam.laurie at thebunker.net (Adam Laurie) Subject: Bluetooth: Theft of Link Keys for Fun and Profit? KF (lists) wrote: > Adam Laurie wrote: > >> >> Excuse me? You are skipping over the only important bit of your >> "disclosure"! > > > When did I claim this was a "disclosure", this was simply some notes > that I have jotted down while messing around with bluetooth link keys. I > was not "disclosing" and new vulnerabilities, I am simply documenting > how things can be done after you have obtained a link key. I have not > seen any documentation on this anywhere so I figured I would create it. My apologies - I took the posting to "full-disclosure" too literally... You are right - background info is also useful for those that are starting to get into this (rich) field of research... > If I could get some valid non pseudo code to calculate e22 and e21 I > would gladly release some of my own. Apart from generic pseudo code I > haven't seen any. Maybe you would like to share yours with the rest of us? I do not have that code, but I know it exists... > >> Apart from a $10,000 sniffer? >> > Mine was only $1600, sounds like you got ripped off. =] Heh. No, mine cost me $0.00 :) >> Please explain - if you're "stealing" a key from a machine you're >> running hcid on, then you already own that key anyway, surely? > > > > Who said I was stealing it from the machine I am running hcid on? > > Which would in turn allow a remote attacker to run commands on the > machine running hcid. > > Maybe it would make you feel better if I said I took root on a linux box > that I did not own and stole the /etc/blueooth/link_keys file. > > Or perhaps I stole /var/root/Library/Preferences/blued.plist off an OSX > machine. > > I could have even taken it from \HKLM\SOFTWARE\Widcomm\BtConfig\Devices\ > on a windows box that I had previously broken into. > Fair point. Leverage one vulnerability to exploit another, and you have a useful attack. >> >> >> You could try the "bdaddr" tool in the BlueZ package. >> > Good info! Is that documented somewhere or is it like the Ericsson > opcode that was mysteriously left out of the documentation? AFAIK 'bdaddr -h' and the source are the only docs, but it works with all of the dongles I've tried it with (all CSR based). Check with Marcel for full capabilities, but I know it supports Ericsson, CSR and Zeevo. Once again, my apologies if I came across too critical - I really was looking at your post from the wrong angle... cheers, Adam -- Adam Laurie Tel: +44 (0) 20 7605 7000 The Bunker Secure Hosting Ltd. Fax: +44 (0) 20 7605 7099 Shepherds Building http://www.thebunker.net Rockley Road London W14 0DA mailto:adam@...bunker.net UNITED KINGDOM PGP key on keyservers
Powered by blists - more mailing lists