Months ago , I had a
post in Neominds.org blog ( site is now down for some reasons. try google cache ) about FPGA technology and how it's being used by both good/bad guys to own your passwords. As that post is not available now and I've no local copy I'll write a very short brief again.
After few paragraphs about goodness of
FPGA &
ASIC technology, I explained how and why widely used cipher algorithms are implemented on these technologies. I used
OpenCiphers as a sample for software part, and random FPGA boards of
PicoComputing as hardware part of scenario. As always some real-world samples was needed, so I posted about FPGA implementation of
LM/NTLM released by OpenCiphers, followed by introducing
pico-WEPcrack as a working FPGA based WEP cracker. Finally I finished the post with a comparison between FPGA based and PC based of cracking and shocking results, based on my own experiences and provided results in OpenCiphers page.
Now, I'm back to that old topic again, to share more interesting news.While reading about
speakers of upcoming ShmooCon, a talk named " Hacking the Airwaves with FPGAs" catched my eyes. Yes it was about some real FPGA work which I've been aware of. At first glance it didn't look much interesting as it should, but hey there were some brand news in that talk : Bluetooth. those few lines were enough for me to recall previous excellent releases of OpenCiphers. So I revisited their site and, guess what ? They had two new finished projects, ready for FPGA fans. these additions were for
WPA and
Bluetooth PIN cracking.
WPA case was not so interesting for me, as I choose this technique for last try. I'm sure you know how to extract WPA keys out of air by packet-injection in few minutes and as there are many resources for this out there, I'm not going to make a clone ! so keep reading. anyway if you're too much excited in cracking WPA on FPGA, I can redirect you to latest versions of
coWPAtty .
OpenCiphers Bluetooth PIN however, looks great again. If you've been an active member of community you already know about 23C3 , and if you've already missed
this talk I must say that you really should not check it anymore, because you do NOT deserve
it.
The talk provided information on latest attacks against Bluetooth technology, and how to capture Bluetooth traffic, extract PIN out of dumped captures and finally crack the PIN using offline attacks , for later use in a targeted attack against victim's bluetooth device. And these all become possible because of some implementation bugs, which is very common in most of bluetooth related vendors. Of course some tools are required for that, so
BTcrack was released among the talk. Detailed how-to was also provided, but I prefer to withheld it. If you're kind of person who should know this, then you probably know where to look for this how-to ;)
Hey we lost the subject ! I was talking about cracking speed...
As you've checked presentation, you'll see that BTcrack's top speed is something around 185.000 keys per second. it means cracking a 4 _digit_ PIN in less than second , and about 20 minutes of brute-forcing for a 6 _digit_ long PIN. Note that I'm saying 4 digit keys. Although digits are the only options for many cases ( like mobile phones) but a PIN is NOT limited to digits. so above results may not be useful in a real-world attack, if victim use a PIN consisted of digits and alphabets. and victim will not going to wait for you whole of the day, to crack his PIN.
Here the magical speed of FPGA implementations comes handy , and once aging shocking for unfamiliar eyes. OpenCipher's implementation of
PIN-crack, based on a single Pico's FPGA board have increased that speed to 10 millions keys per second !
Now imagine one of those portable FPGA solutions, attached to your laptop, ready to own any target in matter of seconds, no matter how smart s/he is in choosing the PIN ;)