PaulDotCom mailing list archives

Re: Bluetooth Advice

From: Matt Neely <matt-lists () matthewneely com>
Date: Fri, 24 Sep 2010 13:37:47 -0400

I'm starting to play with the USRP more and hope to publish some 
penetration testing specific tutorials.  So feel free to drop me a line 
if you want to work together on documenting the process for sniffing 
Bluetooth with a USRP1.

Cheers,
Matt

James Philput wrote:

Thanks Matt!  Your information will help me a lot.  I may try the USRP 
route since I don't think my company will shell out the cash for the 
commercial sniffer..

Regards,
James

On Wed, Sep 22, 2010 at 3:43 PM, Matt Neely 
<matt-lists () matthewneely com <mailto:matt-lists () matthewneely com>> wrote:

    James,

    Sniffing Bluetooth is a lot harder then sniffing 802.11. This is
    because
    of the frequency hopping Bluetooth uses and the lack of a monitor or
    promiscuous mode in consumer Bluetooth hardware. To capture
    traffic I'm
    aware of a couple of options.

    1) Purchase a commercial Bluetooth sniffer
    (http://www.fte.com/products/fts4bt.aspx). Cost around 10K.
    2) Flash a commercial firmware onto consumer dongle. This would be
    illegal so I'll leave this for you to research on your own.
    3) Use a USRP1 or USRP2 to capture the traffic. The USRP1 doesn't have
    the bandwidth to capture the entire Bluetooth spectrum but there
    is some
    tricky you can do to make it sort of work. The USPR2 has more
    bandwidth
    so can capture the entire Bluetooth spectrum with fewer units.
    Here's a
    presentation on the topic
    www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf
    <http://www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf>.

    Even if you can't capture the traffic you still do some analysis
    on how
    secure the transmissions are. The main area I would look at is how the
    device is handling encryption. IF Bluetooth's native encryption is
    enabled three variables are used to setup the encryption key. The
    encryption key is formed by combining the DBAddr (MAC Address) of the
    two devices, the PIN and a random number exchanged by the devices. The
    DBAddr and random number are both exchanged in the clear. So the
    security of the encryption key ultimately lies in the PIN. So
    figure out
    how the PIN is set and synced between devices. Some devices do a very
    poor job at selecting secure PIN codes. For example all wireless
    headsets I’ve ever seen us the PIN 0000, 1234 or 1111. So although the
    encryption key can be up to 128 bits the key space is really 3
    which is
    pretty damn easy to bruteforce. So to determine an encryption key
    all an
    attacker needs to do is capture the initial part of the handshake a
    bruteforce the PIN code. I’m pretty sure public tools exist to perform
    this attack.

    Als ask the vendor if they use any transport layer encryption or
    security outside of what Bluetooth offers.

    Here are a series of blog posts I've found useful when attacking
    Bluetooth: http://www.evilgenius.de/category/bluetooth/.

    Here's a site on penetration testing Bluetooth that's a little out of
    date but still might be helpful to you:
    http://bluetooth-pentest.narod.ru/.

    Cheers,
    Matt

    James Philput wrote:
    > Hello All,
    > I've recently been asked to look into what a couple of supposedly
    > secure devices are transmitting via bluetooth. I've done a fair
    amount
    > of work with 802.11 traffic capture and analysis, but very
    little with
    > bluetooth. If any of you could give me some guidance on what
    hardware
    > and software works best for bluetooth traffic capture and analysis I
    > would appreciate it. For the time being my company is primarily
    > interested in what can be gotten from passive captures, but they may
    > give me a couple of spare devices to attack in the future.
    Thanks for
    > the help!
    >
    > Regards,
    > James
    >
    ------------------------------------------------------------------------
    >
    > _______________________________________________
    > Pauldotcom mailing list
    > Pauldotcom () mail pauldotcom com
    <mailto:Pauldotcom () mail pauldotcom com>
    > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    > Main Web Site: http://pauldotcom.com

    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom () mail pauldotcom com <mailto:Pauldotcom () mail pauldotcom com>
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Bluetooth Advice James Philput (Sep 21)
- Re: Bluetooth Advice Matt Neely (Sep 22)
  - Re: Bluetooth Advice James Philput (Sep 23)
    - Re: Bluetooth Advice Matt Neely (Sep 24)
    - Re: Bluetooth Advice James Philput (Sep 24)