Re: Bluetooth Advice

[James Philput <jamesphilput () gmail com>]

Thanks Matt!  Your information will help me a lot.  I may try the USRP route
since I don't think my company will shell out the cash for the commercial
sniffer..

Regards,
James

On Wed, Sep 22, 2010 at 3:43 PM, Matt Neely <matt-lists () matthewneely com>wrote:

> James,
>
> Sniffing Bluetooth is a lot harder then sniffing 802.11. This is because
> of the frequency hopping Bluetooth uses and the lack of a monitor or
> promiscuous mode in consumer Bluetooth hardware. To capture traffic I'm
> aware of a couple of options.
>
> 1) Purchase a commercial Bluetooth sniffer
> (http://www.fte.com/products/fts4bt.aspx). Cost around 10K.
> 2) Flash a commercial firmware onto consumer dongle. This would be
> illegal so I'll leave this for you to research on your own.
> 3) Use a USRP1 or USRP2 to capture the traffic. The USRP1 doesn't have
> the bandwidth to capture the entire Bluetooth spectrum but there is some
> tricky you can do to make it sort of work. The USPR2 has more bandwidth
> so can capture the entire Bluetooth spectrum with fewer units. Here's a
> presentation on the topic
> www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf.
>
> Even if you can't capture the traffic you still do some analysis on how
> secure the transmissions are. The main area I would look at is how the
> device is handling encryption. IF Bluetooth's native encryption is
> enabled three variables are used to setup the encryption key. The
> encryption key is formed by combining the DBAddr (MAC Address) of the
> two devices, the PIN and a random number exchanged by the devices. The
> DBAddr and random number are both exchanged in the clear. So the
> security of the encryption key ultimately lies in the PIN. So figure out
> how the PIN is set and synced between devices. Some devices do a very
> poor job at selecting secure PIN codes. For example all wireless
> headsets I’ve ever seen us the PIN 0000, 1234 or 1111. So although the
> encryption key can be up to 128 bits the key space is really 3 which is
> pretty damn easy to bruteforce. So to determine an encryption key all an
> attacker needs to do is capture the initial part of the handshake a
> bruteforce the PIN code. I’m pretty sure public tools exist to perform
> this attack.
>
> Als ask the vendor if they use any transport layer encryption or
> security outside of what Bluetooth offers.
>
> Here are a series of blog posts I've found useful when attacking
> Bluetooth: http://www.evilgenius.de/category/bluetooth/.
>
> Here's a site on penetration testing Bluetooth that's a little out of
> date but still might be helpful to you: http://bluetooth-pentest.narod.ru/
> .
>
> Cheers,
> Matt
>
> James Philput wrote:
> > Hello All,
> > I've recently been asked to look into what a couple of supposedly
> > secure devices are transmitting via bluetooth. I've done a fair amount
> > of work with 802.11 traffic capture and analysis, but very little with
> > bluetooth. If any of you could give me some guidance on what hardware
> > and software works best for bluetooth traffic capture and analysis I
> > would appreciate it. For the time being my company is primarily
> > interested in what can be gotten from passive captures, but they may
> > give me a couple of spare devices to attack in the future. Thanks for
> > the help!
> >
> > Regards,
> > James
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com