March 3, 2007

And now, cracking Bluetooth PIN on FPGA

Months ago , I had a post in blog ( site is now down for some reasons. try google cache ) about FPGA technology and how it's being used by both good/bad guys to own your passwords. As that post is not available now and I've no local copy I'll write a very short brief again.

After few paragraphs about goodness of FPGA & ASIC technology, I explained how and why widely used cipher algorithms are implemented on these technologies. I used OpenCiphers as a sample for software part, and random FPGA boards of PicoComputing as hardware part of scenario. As always some real-world samples was needed, so I posted about FPGA implementation of LM/NTLM released by OpenCiphers, followed by introducing pico-WEPcrack as a working FPGA based WEP cracker. Finally I finished the post with a comparison between FPGA based and PC based of cracking and shocking results, based on my own experiences and provided results in OpenCiphers page.

Now, I'm back to that old topic again, to share more interesting news.While reading about speakers of upcoming ShmooCon, a talk named " Hacking the Airwaves with FPGAs" catched my eyes. Yes it was about some real FPGA work which I've been aware of. At first glance it didn't look much interesting as it should, but hey there were some brand news in that talk : Bluetooth. those few lines were enough for me to recall previous excellent releases of OpenCiphers. So I revisited their site and, guess what ? They had two new finished projects, ready for FPGA fans. these additions were for WPA and Bluetooth PIN cracking.
WPA case was not so interesting for me, as I choose this technique for last try. I'm sure you know how to extract WPA keys out of air by packet-injection in few minutes and as there are many resources for this out there, I'm not going to make a clone ! so keep reading. anyway if you're too much excited in cracking WPA on FPGA, I can redirect you to latest versions of coWPAtty .

OpenCiphers Bluetooth PIN however, looks great again. If you've been an active member of community you already know about 23C3 , and if you've already missed this talk I must say that you really should not check it anymore, because you do NOT deserve it.
The talk provided information on latest attacks against Bluetooth technology, and how to capture Bluetooth traffic, extract PIN out of dumped captures and finally crack the PIN using offline attacks , for later use in a targeted attack against victim's bluetooth device. And these all become possible because of some implementation bugs, which is very common in most of bluetooth related vendors. Of course some tools are required for that, so BTcrack was released among the talk. Detailed how-to was also provided, but I prefer to withheld it. If you're kind of person who should know this, then you probably know where to look for this how-to ;)

Hey we lost the subject ! I was talking about cracking speed...
As you've checked presentation, you'll see that BTcrack's top speed is something around 185.000 keys per second. it means cracking a 4 _digit_ PIN in less than second , and about 20 minutes of brute-forcing for a 6 _digit_ long PIN. Note that I'm saying 4 digit keys. Although digits are the only options for many cases ( like mobile phones) but a PIN is NOT limited to digits. so above results may not be useful in a real-world attack, if victim use a PIN consisted of digits and alphabets. and victim will not going to wait for you whole of the day, to crack his PIN.
Here the magical speed of FPGA implementations comes handy , and once aging shocking for unfamiliar eyes. OpenCipher's implementation of PIN-crack, based on a single Pico's FPGA board have increased that speed to 10 millions keys per second !

Now imagine one of those portable FPGA solutions, attached to your laptop, ready to own any target in matter of seconds, no matter how smart s/he is in choosing the PIN ;)

1 comment:

  1. [url=][b]Click here to get VPN service![/b][/url]

    [b]Anonymous surfing[/b]
    Using our service you'll be fully anonymous in the Internet. Hide your IP address, and nobody will know that strange visitor from Germany ( Great Britain, Estonia and so ), is you.

    [b]Full access to network[/b]
    You can use any services, access any sites and use any software with us. BitTorrent, Skype, Facebook, MySpace, Twitter, Pocker .. we have no restrictions.

    [b]Traffic protection[/b]
    Don't worry, from this moment all you data will be protected using 256 bit Blowfish encryption algorithm. Nobody can access your internet data.

    [b]Wide variety of countries[/b]
    You can choose one of over twenty high speed servers located in different parts of the world, from South America coast to islands in Indian Ocean.

    Related keywords:
    anonymous surfing review
    proxy server vpn
    anonymous secure surfing
    proxy vpn
    anonymous vpn free
    internet explorer vpn
    vpn dial up
    ssl vpn
    Traffic protection
    anonymous surfing freeware
    anonymous surfing software
    anonymous surfing vpn
    best anonymous browser
    surf the web anonymous
    best anonymous surfing
    anonymizer anonymous surfing review
    firefox anonymous surfing
    Virtual Private Networks
    Free Vpn Client Software
    anonymous surfing software
    [url=] anonymous surfing software[/url]
    [url=] anonymous proxy[/url]
    [url=]Buy Cheap Zoloft[/url]