Back in 2004, I presented some research at CanSecWest entitled “Bluetooth Security: Toothless?” One of the items I covered in this presentation was the ability to recover link keys over the air. My research was missing a key feature, which was how to force a re-pair between two devices in order to be able to observe the new pairing to be able to get the required data. Fast-forward to June, 2005, and Yaniv Shaked and Avishai Wool improved the attack in many aspects and released the paper “Cracking the Bluetooth PIN,” including many novel aspects. Well, it’s now 2006 and Thierry Zoller has just given an interesting presentation at the hack.lu conference (with input from Kevin Finisterre) entitled “All your Bluetooth is belong to us.” In this presentation (apart from some cool zero-days) they demonstrate “BTCrack,” which is their implementation of the PIN/Linkkey recover attack. Using this, they can recover a four-digit PIN in just 0.25 seconds.
With the ability to get the linkkey and if you can then forge your bdaddr, you can abuse an existing pairing between two devices in order to get access. So, here are some simple steps for us to try and mitigate this attack:
1) Pair your devices in a secure place.
2) Use long PIN numbers where possible.
3) If you suddenly find that you have to re-pair devices for reasons that aren’t apparent, be suspicious, and if possible return to step 1.
As I’ve previously mentioned, let’s all hope that Wireless USB isn’t a repeat of Bluetooth—for my sanity, if no one else’s.