Interesting bluetooth experiment

Earlier on, I paired my bluetooth keyboard to both my android and windows OS dual boot configuration. It is a hassle to keep re-pairing the keyboard whenever I switch OSes. This was done by pairing it with the android and extracting the link key, which is a 32bit binary code and then replacing the link key in windows with it. Of course, there are some other steps such as escalating privileges in the registry to change the key and reversing the binary since windows uses little-endian but I wont bore you with the details.

Basically how pairing works is that a link key is generated and stored on both keyboard and device when the first pairing happens. The key bonds the keyboard and the device and a 2nd device is unable to connect as it does not have the same link key. When re-pairing a keyboard with the 2nd device, a new link key is generated and overwrites the old link key on the keyboard. Therefore, it loses the pairing to the 1st device.

Anyway, this got me thinking that if I had done it on another computer, one keyboard would be paired to both computers at the same time which would result in some pretty interesting phenomena. The same thing can be done with a mouse and it can be used to pull a prank. But the hacker in me came up with something more malicious. What if one of the computers was actually a board that sniffs the bluetooth pairings and logs all the keystrokes. The keylogger would be undetectable since it is merely sniffing the encrypted packets which it is supposedly unable to decrypt without the link key. That said, the attack window is pretty slim as the link key is transmitted only once when pairing occurs. Subsequent re-connections are encrypted and cannot be deciphered without the link key.

Next time I pair a bluetooth device, I will make sure to look 10m around me for any suspicious devices.