Red Fang

Kim Hyldgaard · Joined: 25 Jul 2007 Posts: 3

Hi,

I recently came accross the following article:
http://www.newscientist.com/news/news.jsp?id=ns99994041

This article states a concern towards the security of Bluetooth.
The claim is that a sw tool called Red Fang can connect to a Bluetooth
device and steal data - eventhough the device is in the non-discoverable
mode.

The source code for Red Fang is available here:
http://www.securiteam.com/tools/5JP0I1FAAE.html

- But I don't get it...
The tool is brute forcing the address space of 6 bytes, only to request the
name of the remote device?
Most pin-codes used in phones for Bluetooth have only 4 digits giving only
10.000 pin codes - one should think that this was easier brute-forced...!
In general: If the door is already open, why bother breaking a window to
climb in...?

Furthermore: The sw needs to be using all 79 channels of Bluetooth in order
to succeed. And even more: To be able to actually connect to the remote
device, you have to use the correct link key.

So, if someone can explain to me the remarkable part of this Red Fang, I'd
like to know.

Kind regards
Kim

Archived from group: alt>cellular>bluetooth

Mauricio Freitas · Joined: 25 Jul 2007 Posts: 99

I read about Red Fang a couple of months ago.

It uses brute force from a specific known address and the objective is to
show that even when the device is not in discoverable mode other devices can
still recognise its presence and id it.

That's all it does.

--
Mauricio Freitas
Handhelds, mobile: http://www.geekzone.co.nz or
http://www.bluetoothguide.com
Bluetooth guides: http://www.geekzone.co.nz/content.asp?contentid=449

"Kim Hyldgaard" wrote in message$mln$1@newstree.wise.edt.ericsson.se...
> Hi,
>
> I recently came accross the following article:
> http://www.newscientist.com/news/news.jsp?id=ns99994041
>
> This article states a concern towards the security of Bluetooth.
> The claim is that a sw tool called Red Fang can connect to a Bluetooth
> device and steal data - eventhough the device is in the non-discoverable
> mode.
>
> The source code for Red Fang is available here:
> http://www.securiteam.com/tools/5JP0I1FAAE.html
>
> - But I don't get it...
> The tool is brute forcing the address space of 6 bytes, only to request
the
> name of the remote device?
> Most pin-codes used in phones for Bluetooth have only 4 digits giving only
> 10.000 pin codes - one should think that this was easier brute-forced...!
> In general: If the door is already open, why bother breaking a window to
> climb in...?
>
> Furthermore: The sw needs to be using all 79 channels of Bluetooth in
order
> to succeed. And even more: To be able to actually connect to the remote
> device, you have to use the correct link key.
>
> So, if someone can explain to me the remarkable part of this Red Fang, I'd
> like to know.
>
> Kind regards
> Kim
>
>
>

Kim Hyldgaard · Joined: 25 Jul 2007 Posts: 3

Hi Mauricio,

Thanks for the information.
Interesting to see the presentation from the Schmoo group. I noted two
specific points:
BT security is better than 802.11 and the most attacks on BT was conducted
through bad sw and poor defaults.

- With this presented at a conference, my first thought was "...and they
cannot come up with anything more than this...?"

/Kim

"Mauricio Freitas" wrote in message$si3$1@si05.rsvl.unisys.com...
> Have a look on BlueSniff
> http://www.geekzone.co.nz/content.asp?contentid=1272
>
>
> --
> Mauricio Freitas
> mobility, wireless, handhelds: http://www.geekzone.co.nz or
> http://www.bluetoothguide.com
>
>
> "Mauricio Freitas" wrote in message
> $9f7.1292216@news02.tsnz.net...
> > I read about Red Fang a couple of months ago.
> >
> > It uses brute force from a specific known address and the objective is
to
> > show that even when the device is not in discoverable mode other devices
> can
> > still recognise its presence and id it.
> >
> > That's all it does.
> >
> >
> > --
> > Mauricio Freitas
> > Handhelds, mobile: http://www.geekzone.co.nz or
> > http://www.bluetoothguide.com
> > Bluetooth guides: http://www.geekzone.co.nz/content.asp?contentid=449
> >
> >
> > "Kim Hyldgaard" wrote in message
> > $mln$1@newstree.wise.edt.ericsson.se...
> > > Hi,
> > >
> > > I recently came accross the following article:
> > > http://www.newscientist.com/news/news.jsp?id=ns99994041
> > >
> > > This article states a concern towards the security of Bluetooth.
> > > The claim is that a sw tool called Red Fang can connect to a Bluetooth
> > > device and steal data - eventhough the device is in the
non-discoverable
> > > mode.
> > >
> > > The source code for Red Fang is available here:
> > > http://www.securiteam.com/tools/5JP0I1FAAE.html
> > >
> > > - But I don't get it...
> > > The tool is brute forcing the address space of 6 bytes, only to
request
> > the
> > > name of the remote device?
> > > Most pin-codes used in phones for Bluetooth have only 4 digits giving
> only
> > > 10.000 pin codes - one should think that this was easier
> brute-forced...!
> > > In general: If the door is already open, why bother breaking a window
to
> > > climb in...?
> > >
> > > Furthermore: The sw needs to be using all 79 channels of Bluetooth in
> > order
> > > to succeed. And even more: To be able to actually connect to the
remote
> > > device, you have to use the correct link key.
> > >
> > > So, if someone can explain to me the remarkable part of this Red Fang,
> I'd
> > > like to know.
> > >
> > > Kind regards
> > > Kim
> > >
> > >
> > >
> >
> >
>
>

Mauricio Freitas · Joined: 25 Jul 2007 Posts: 99

Have a look on BlueSniff
http://www.geekzone.co.nz/content.asp?contentid=1272

--
Mauricio Freitas
mobility, wireless, handhelds: http://www.geekzone.co.nz or
http://www.bluetoothguide.com

"Mauricio Freitas" wrote in message$9f7.1292216@news02.tsnz.net...
> I read about Red Fang a couple of months ago.
>
> It uses brute force from a specific known address and the objective is to
> show that even when the device is not in discoverable mode other devices
can
> still recognise its presence and id it.
>
> That's all it does.
>
>
> --
> Mauricio Freitas
> Handhelds, mobile: http://www.geekzone.co.nz or
> http://www.bluetoothguide.com
> Bluetooth guides: http://www.geekzone.co.nz/content.asp?contentid=449
>
>
> "Kim Hyldgaard" wrote in message
> $mln$1@newstree.wise.edt.ericsson.se...
> > Hi,
> >
> > I recently came accross the following article:
> > http://www.newscientist.com/news/news.jsp?id=ns99994041
> >
> > This article states a concern towards the security of Bluetooth.
> > The claim is that a sw tool called Red Fang can connect to a Bluetooth
> > device and steal data - eventhough the device is in the non-discoverable
> > mode.
> >
> > The source code for Red Fang is available here:
> > http://www.securiteam.com/tools/5JP0I1FAAE.html
> >
> > - But I don't get it...
> > The tool is brute forcing the address space of 6 bytes, only to request
> the
> > name of the remote device?
> > Most pin-codes used in phones for Bluetooth have only 4 digits giving
only
> > 10.000 pin codes - one should think that this was easier
brute-forced...!
> > In general: If the door is already open, why bother breaking a window to
> > climb in...?
> >
> > Furthermore: The sw needs to be using all 79 channels of Bluetooth in
> order
> > to succeed. And even more: To be able to actually connect to the remote
> > device, you have to use the correct link key.
> >
> > So, if someone can explain to me the remarkable part of this Red Fang,
I'd
> > like to know.
> >
> > Kind regards
> > Kim
> >
> >
> >
>
>