PaulDotCom mailing list archives
Re: Bluetooth Advice
From: Matt Neely <matt-lists () matthewneely com>
Date: Wed, 22 Sep 2010 15:43:24 -0400
James, Sniffing Bluetooth is a lot harder then sniffing 802.11. This is because of the frequency hopping Bluetooth uses and the lack of a monitor or promiscuous mode in consumer Bluetooth hardware. To capture traffic I'm aware of a couple of options. 1) Purchase a commercial Bluetooth sniffer (http://www.fte.com/products/fts4bt.aspx). Cost around 10K. 2) Flash a commercial firmware onto consumer dongle. This would be illegal so I'll leave this for you to research on your own. 3) Use a USRP1 or USRP2 to capture the traffic. The USRP1 doesn't have the bandwidth to capture the entire Bluetooth spectrum but there is some tricky you can do to make it sort of work. The USPR2 has more bandwidth so can capture the entire Bluetooth spectrum with fewer units. Here's a presentation on the topic www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf. Even if you can't capture the traffic you still do some analysis on how secure the transmissions are. The main area I would look at is how the device is handling encryption. IF Bluetooth's native encryption is enabled three variables are used to setup the encryption key. The encryption key is formed by combining the DBAddr (MAC Address) of the two devices, the PIN and a random number exchanged by the devices. The DBAddr and random number are both exchanged in the clear. So the security of the encryption key ultimately lies in the PIN. So figure out how the PIN is set and synced between devices. Some devices do a very poor job at selecting secure PIN codes. For example all wireless headsets I’ve ever seen us the PIN 0000, 1234 or 1111. So although the encryption key can be up to 128 bits the key space is really 3 which is pretty damn easy to bruteforce. So to determine an encryption key all an attacker needs to do is capture the initial part of the handshake a bruteforce the PIN code. I’m pretty sure public tools exist to perform this attack. Als ask the vendor if they use any transport layer encryption or security outside of what Bluetooth offers. Here are a series of blog posts I've found useful when attacking Bluetooth: http://www.evilgenius.de/category/bluetooth/. Here's a site on penetration testing Bluetooth that's a little out of date but still might be helpful to you: http://bluetooth-pentest.narod.ru/. Cheers, Matt James Philput wrote:
Hello All, I've recently been asked to look into what a couple of supposedly secure devices are transmitting via bluetooth. I've done a fair amount of work with 802.11 traffic capture and analysis, but very little with bluetooth. If any of you could give me some guidance on what hardware and software works best for bluetooth traffic capture and analysis I would appreciate it. For the time being my company is primarily interested in what can be gotten from passive captures, but they may give me a couple of spare devices to attack in the future. Thanks for the help! Regards, James ------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Bluetooth Advice James Philput (Sep 21)
- Re: Bluetooth Advice Matt Neely (Sep 22)
- Re: Bluetooth Advice James Philput (Sep 23)
- Re: Bluetooth Advice Matt Neely (Sep 24)
- Re: Bluetooth Advice James Philput (Sep 24)
- Re: Bluetooth Advice James Philput (Sep 23)
- Re: Bluetooth Advice Matt Neely (Sep 22)