lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <814b9d50508121142398c8a42@mail.gmail.com>
Date: Fri Aug 12 20:22:45 2005
From: milw0rm at gmail.com (milw0rm Inc.)
Subject: Bluetooth: Theft of Link Keys for Fun and
	Profit?

Nice work KF.

/str0ke

On 8/12/05, Adam Laurie <adam.laurie@...bunker.net> wrote:
> KF (lists) wrote:
> > Adam Laurie wrote:
> >
> >>
> >> Excuse me? You are skipping over the only important bit of your
> >> "disclosure"!
> >
> >
> > When did I claim this was a "disclosure", this was simply some notes
> > that I have jotted down while messing around with bluetooth link keys. I
> > was not "disclosing" and new vulnerabilities, I am simply documenting
> > how things can be done after you have obtained a link key. I have not
> > seen any documentation on this anywhere so I figured I would create it.
> 
> My apologies - I took the posting to "full-disclosure" too literally...
> You are right - background info is also useful for those that are
> starting to get into this (rich) field of research...
> 
> > If I could get  some valid non pseudo code to calculate e22 and e21 I
> > would gladly release some of my own.  Apart from generic pseudo code I
> > haven't seen any. Maybe you would like to share yours with the rest of us?
> 
> I do not have that code, but I know it exists...
> 
> >
> >> Apart from a $10,000 sniffer?
> >>
> > Mine was only $1600, sounds like you got ripped off. =]
> 
> Heh. No, mine cost me $0.00 :)
> 
> >> Please explain - if you're "stealing" a key from a machine you're
> >> running hcid on, then you already own that key anyway, surely?
> >
> >
> >
> > Who said I was stealing it from the machine I am running hcid on?
> >
> > Which would in turn allow a remote attacker to run commands on the
> > machine running hcid.
> >
> > Maybe it would make you feel better if I said I took root on a linux box
> > that I did not own and stole the /etc/blueooth/link_keys file.
> >
> > Or perhaps I stole /var/root/Library/Preferences/blued.plist off an OSX
> > machine.
> >
> > I could have even taken it from \HKLM\SOFTWARE\Widcomm\BtConfig\Devices\
> > on a windows box that I had previously broken into.
> >
> 
> Fair point. Leverage one vulnerability to exploit another, and you have
> a useful attack.
> 
> >>
> >>
> >> You could try the "bdaddr" tool in the BlueZ package.
> >>
> > Good info! Is that documented somewhere or is it like the Ericsson
> > opcode that was mysteriously left out of the documentation?
> 
> AFAIK 'bdaddr -h' and the source are the only docs, but it works with
> all of the dongles I've tried it with (all CSR based). Check with Marcel
> for full capabilities, but I know it supports Ericsson, CSR and Zeevo.
> 
> Once again, my apologies if I came across too critical - I really was
> looking at your post from the wrong angle...
> 
> cheers,
> Adam
> --
> Adam Laurie                         Tel: +44 (0) 20 7605 7000
> The Bunker Secure Hosting Ltd.      Fax: +44 (0) 20 7605 7099
> Shepherds Building                  http://www.thebunker.net
> Rockley Road
> London W14 0DA                      mailto:adam@...bunker.net
> UNITED KINGDOM                      PGP key on keyservers
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ