Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Bluetooth Advice
From: James Philput <jamesphilput () gmail com>
Date: Thu, 23 Sep 2010 10:58:35 -0400

Thanks Matt!  Your information will help me a lot.  I may try the USRP route
since I don't think my company will shell out the cash for the commercial
sniffer..

Regards,
James

On Wed, Sep 22, 2010 at 3:43 PM, Matt Neely <matt-lists () matthewneely com>wrote:

James,

Sniffing Bluetooth is a lot harder then sniffing 802.11. This is because
of the frequency hopping Bluetooth uses and the lack of a monitor or
promiscuous mode in consumer Bluetooth hardware. To capture traffic I'm
aware of a couple of options.

1) Purchase a commercial Bluetooth sniffer
(http://www.fte.com/products/fts4bt.aspx). Cost around 10K.
2) Flash a commercial firmware onto consumer dongle. This would be
illegal so I'll leave this for you to research on your own.
3) Use a USRP1 or USRP2 to capture the traffic. The USRP1 doesn't have
the bandwidth to capture the entire Bluetooth spectrum but there is some
tricky you can do to make it sort of work. The USPR2 has more bandwidth
so can capture the entire Bluetooth spectrum with fewer units. Here's a
presentation on the topic
www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf.

Even if you can't capture the traffic you still do some analysis on how
secure the transmissions are. The main area I would look at is how the
device is handling encryption. IF Bluetooth's native encryption is
enabled three variables are used to setup the encryption key. The
encryption key is formed by combining the DBAddr (MAC Address) of the
two devices, the PIN and a random number exchanged by the devices. The
DBAddr and random number are both exchanged in the clear. So the
security of the encryption key ultimately lies in the PIN. So figure out
how the PIN is set and synced between devices. Some devices do a very
poor job at selecting secure PIN codes. For example all wireless
headsets I’ve ever seen us the PIN 0000, 1234 or 1111. So although the
encryption key can be up to 128 bits the key space is really 3 which is
pretty damn easy to bruteforce. So to determine an encryption key all an
attacker needs to do is capture the initial part of the handshake a
bruteforce the PIN code. I’m pretty sure public tools exist to perform
this attack.

Als ask the vendor if they use any transport layer encryption or
security outside of what Bluetooth offers.

Here are a series of blog posts I've found useful when attacking
Bluetooth: http://www.evilgenius.de/category/bluetooth/.

Here's a site on penetration testing Bluetooth that's a little out of
date but still might be helpful to you: http://bluetooth-pentest.narod.ru/
.

Cheers,
Matt

James Philput wrote:
Hello All,
I've recently been asked to look into what a couple of supposedly
secure devices are transmitting via bluetooth. I've done a fair amount
of work with 802.11 traffic capture and analysis, but very little with
bluetooth. If any of you could give me some guidance on what hardware
and software works best for bluetooth traffic capture and analysis I
would appreciate it. For the time being my company is primarily
interested in what can be gotten from passive captures, but they may
give me a couple of spare devices to attack in the future. Thanks for
the help!

Regards,
James
------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]