Re: Bluetooth Advice

[Matt Neely <matt-lists () matthewneely com>]

James,

Sniffing Bluetooth is a lot harder then sniffing 802.11. This is because 
of the frequency hopping Bluetooth uses and the lack of a monitor or 
promiscuous mode in consumer Bluetooth hardware. To capture traffic I'm 
aware of a couple of options.

1) Purchase a commercial Bluetooth sniffer 
(http://www.fte.com/products/fts4bt.aspx). Cost around 10K.
2) Flash a commercial firmware onto consumer dongle. This would be 
illegal so I'll leave this for you to research on your own.
3) Use a USRP1 or USRP2 to capture the traffic. The USRP1 doesn't have 
the bandwidth to capture the entire Bluetooth spectrum but there is some 
tricky you can do to make it sort of work. The USPR2 has more bandwidth 
so can capture the entire Bluetooth spectrum with fewer units. Here's a 
presentation on the topic 
www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf.

Even if you can't capture the traffic you still do some analysis on how 
secure the transmissions are. The main area I would look at is how the 
device is handling encryption. IF Bluetooth's native encryption is 
enabled three variables are used to setup the encryption key. The 
encryption key is formed by combining the DBAddr (MAC Address) of the 
two devices, the PIN and a random number exchanged by the devices. The 
DBAddr and random number are both exchanged in the clear. So the 
security of the encryption key ultimately lies in the PIN. So figure out 
how the PIN is set and synced between devices. Some devices do a very 
poor job at selecting secure PIN codes. For example all wireless 
headsets I’ve ever seen us the PIN 0000, 1234 or 1111. So although the 
encryption key can be up to 128 bits the key space is really 3 which is 
pretty damn easy to bruteforce. So to determine an encryption key all an 
attacker needs to do is capture the initial part of the handshake a 
bruteforce the PIN code. I’m pretty sure public tools exist to perform 
this attack.

Als ask the vendor if they use any transport layer encryption or 
security outside of what Bluetooth offers.

Here are a series of blog posts I've found useful when attacking 
Bluetooth: http://www.evilgenius.de/category/bluetooth/.

Here's a site on penetration testing Bluetooth that's a little out of 
date but still might be helpful to you: http://bluetooth-pentest.narod.ru/.

Cheers,
Matt

James Philput wrote:
> Hello All,
> I've recently been asked to look into what a couple of supposedly 
> secure devices are transmitting via bluetooth. I've done a fair amount 
> of work with 802.11 traffic capture and analysis, but very little with 
> bluetooth. If any of you could give me some guidance on what hardware 
> and software works best for bluetooth traffic capture and analysis I 
> would appreciate it. For the time being my company is primarily 
> interested in what can be gotten from passive captures, but they may 
> give me a couple of spare devices to attack in the future. Thanks for 
> the help!
>
> Regards,
> James
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com