You can passively decrypt the traffic between the two devices or, connect to the Slave device pretending to be the Master and have full access and the other way round by connecting to the master pretending to be one of the slaves only to have full access. Even better, you could just pair with a bluetooth capable machine and have a remote encrypted stealth channel to that machine!
IntroductionBTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured pairing* exchanges.To capture the pairing data it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR to know how to flash a CSR based consumer USB dongle with special firmware.Example of an Attack scenario :Attacker reconstructs BD_ADDR of both Master and Slave through passive (reconstructing through a preamble sniff, even when the device is in hidden mode) or active means (redfang)Attacker changes his BD_ADDR to the one of the Slave deviceAttacker asks to pair with the Master indicating it has no key, the Master will more then often trash the old pairing data and request a new link key from the genuine slaveAttacker now captures the key (pairing) exchange taking place between the two devices as the users try to re-establish a connectionAttacker exports data to CSV format and imports into BTCrackAttacker can now compromise Master and Slave Bluetooth device through usage of the cracked Linkkey and is able to decrypt the data transmitted between the bluetooth devicesWhy the PIN is not so important An Attacker will focus on recovering the Linkkey and not the PIN, here's why :The Link-key allows remote connections without the victim noticingThe Link-key allows and attacker to connect to devices in non-pairing mode and non discoverable modeThe Link-key allows decryption of the dataHistory :Olly Whitehouse - 2003Presented theoretic weaknesses in the implementation of the Pairing exchangeShaked and Wool - 2005Present their logic to break pairing exchanges and implement it in Private Thierry Zoller - 2006First public release of a complete optimized Implementation of the Shaked and Wool logic. Optimisation done by Erik Sesterhenn.David Hulton / Thierry Zoller - 2007Worlds first FPGA based ImplementationScreenshots :Speed Comparison :P4 2Ghz - Dual Core 200.000 keys/secFPGA E12 @ 50Mhz 7.600.000 keys/secFPGA E12 @ 75Mhz 10.000.000 keys/secFPGA E14 30.000.000 keys/secKnown issues :[+] Frontline 6.0 mixes Master & Slave AddressesChanges :1.0 First release1.1 Intermediate Release E12 + E14 FPGA Support ( ) Splash Screen Process Priority Speed increase (+15%)Downloads :Download BTCrackHeisec 2007 - Scheunentor Bluetooth23C3 - Bluetooth Hacking revisited - All your Bluetooth is belong to usHeisec 2007 Scheunentor Bluetooth Zoller
BTCrack: A Bluetooth Pass Phrase Bruteforcer
2ff7e9595c
Comments