Archived from groups: alt.cellular.bluetooth (More info?)

I just bought a keyboard which uses Bluetooth, and is protected by a
passphrase. How strong is Bluetooth encryption? Is it public key based
or symmetric? WiFi WEP encryption we all know about, is there anything
similar to Airsnort for Bluetooth (taking the devil's advocate point
of view)?

Archived from groups: alt.cellular.bluetooth (More info?)

omni@zmaxdap.com.spam schrieb:
> I just bought a keyboard which uses Bluetooth, and is protected by a
> passphrase. How strong is Bluetooth encryption? Is it public key based
> or symmetric? WiFi WEP encryption we all know about, is there anything
> similar to Airsnort for Bluetooth (taking the devil's advocate point
> of view)?

BT encryption is secret key-based. BT encryption by itself is considered
secure. There are no severe attacks known on the BT encryption algorithm
E0. There are, however, unfortunate degrees of freedom in the
implementation of the BT security spec, e.g.:

1.
BT encryption has a key size which is determined at connection
establishment. In theory, 8 ... 128 bit are possible. Each device
enforces a minumum and a maximum key size, which are hard-coded, and may
vary between 8 and 128 bit. When 2 devices set up an encrypted
communication, they agree on the biggest commonly supported key size.

However, in the end you never know which key size applies to your actual
connection. There is no (vendor-independent) API specified that allows
you to check the actual BT connection key size. There are many devices
around which have a maximum key size of 56 bit. And I wouldn't
necessarily trust the vendors' statements about their minimum enforced
key size...


2.
There are several ways specified to optionally short-cut the regular BT
pairing and authentication to an easier, but less secure mode. Whether
they are possible depends on the configuration of your device.


Unfortunately, several recent BT devices (i.e. mobile phones) have
severe implementation errors in the security part of BT.

There are no tools around like Airsnort for BT. With all current devices
it is impossible to set them into a 'monitor mode' or 'promiscuous mode'
like with WLAN devices. Given the frequency hopping modulation scheme,
it is clearly more difficult (or impossible?) by theory to put a regular
BT device in such a mode.

All in all, it depends a lot on the careful interpretation and
implementation of the BT security specification by the device
manufacturer(s) whether your devices may communicate secure. No question
that you should apply the commonly known password selection precautions
when choosing the pairing password. For instance, with alphanumeric
characters (upper and lower case, figures), you should at least employ
13 digits.


Hoping this helps a little,

Michael


--
Michael Schmidt
University of Siegen, Germany
http: www.dcs.uni-siegen.de
e-mail: schmidt _at_ nue.et-inf.uni-siegen.de

Archived from groups: alt.cellular.bluetooth (More info?)

ASFAIK BlueTooth does not encrypt the data passing between devices, but it
does heavilly encrypt the frequency channel sequence the device uses to pass
the data. BT uses a very rapid frequency hop system, and the sequence used
is part of the encrypted set-up/ pairing, but unless you capture the pairing
sequence you have no hope of capturing the data.

But b4 you say - wait outside and capture all of the data from the BT
device, remember BT has a maximum range of 5-20 metres, and this is
massively reduced by walls, stopped by sheet metal, and because BT uses
power control - it only transmits with enough power for the receiver to
capture, so what are you expecting to happen?

At that distance from your Keyboard it's possible to capture keystrokes
visually.......

>I just bought a keyboard which uses Bluetooth, and is protected by a
> passphrase. How strong is Bluetooth encryption? Is it public key based
> or symmetric? WiFi WEP encryption we all know about, is there anything
> similar to Airsnort for Bluetooth (taking the devil's advocate point
> of view)?

Archived from groups: alt.cellular.bluetooth (More info?)

Sheppy schrieb:
> ASFAIK BlueTooth does not encrypt the data passing between devices, but it
> does heavilly encrypt the frequency channel sequence the device uses to pass
> the data. BT uses a very rapid frequency hop system, and the sequence used
> is part of the encrypted set-up/ pairing, but unless you capture the pairing
> sequence you have no hope of capturing the data.

WRONG - see my other posting. BT does not "encrypt the frequency channel
sequence". You are right that the frequency hopping sequence is strictly
coupled to the initialization vector of the encryption key.


> But b4 you say - wait outside and capture all of the data from the BT
> device, remember BT has a maximum range of 5-20 metres, and this is
> massively reduced by walls, stopped by sheet metal, and because BT uses
> power control - it only transmits with enough power for the receiver to
> capture, so what are you expecting to happen?
>
> At that distance from your Keyboard it's possible to capture keystrokes
> visually.......

With proper antennas, BT attacks are possible to a range of more than 1
km, see http://trifinite.org/trifinite_stuff_bluebug.html#news


Michael

--
Michael Schmidt
University of Siegen, Germany
http: www.dcs.uni-siegen.de
e-mail: schmidt _at_ nue.et-inf.uni-siegen.de