Ubuntu
bluez package

bluetooth keyboard not encrypted

Bug #182191 reported by Eric Anopolsky
258
Affects Status Importance Assigned to Milestone
bluez (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: bluez-utils

I bought a Microsoft Wireless Desktop Elite for Bluetooth set consisting of a USB bluetooth dongle, a bluetooth keyboard, and a bluetooth mouse. They connected to my Ubuntu Gutsy laptop, but the keyboard is not bonded to the laptop! I know the device is not bonded because the file /var/lib/bluetooth/ADAPTER_ADDR/linkkeys does not exist.

In order to fix this bug, bonding must occur when connecting a bluetooth keyboard to a PC. If bonding fails, bluez should allow the keyboard to work in unencrypted mode but MUST warn the user that the keyboard is broadcasting the user's unencrypted keystrokes (including passwords) to anyone listening.

I have marked this bug as a security vulnerability in addition to being a regular bug since it results in login and other passwords being broadcasted.

Revision history for this message
Bob Rossana (rjrossana) wrote :

I am also having problems with the same keyboard on a desktop box. In my case, I am unable to get it connected for more than a few seconds. Once I pair it, the keyboard appears to have connected properly but will disconnect in a short time.

Revision history for this message
Mario Limonciello (superm1) wrote :

The 4.x stack that just entered intrepid supports encryption on the connection:
bluez (4.12-0ubuntu1) intrepid; urgency=low

  * Initial Release. (LP: #274950)
    - This package replaces bluez-utils and bluez-libs source packages.
    - It was generated by merging the contents of bluez-utils and bluez-libs
      and updating content.
    - Legacy functionality for hidd, dund, and pand are not present, and
      have been removed from all configuration files.
  * This release introduces encryption (LP: #182191)
  * debian/patches:
    - bluez-utils-oui-usage.patch was borrowed from the Fedora 10 packaging.
    - sco-connect-git.patch was taken from bluez git shortly after 4.12 release.
      It should "help" with some sco headset issues.
  * debian/control:
    - Update different packages per upstream's recommendations.
    - Update conflicts/replaces for earlier packages.
    - Add a transitional bluez-utils package to help with the transition.

 -- Mario Limonciello < <email address hidden>> Tue, 07 Oct 2008 12:10:29 -0500

Changed in bluez-utils:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.