I'm starting to play with the USRP more and hope to publish some penetration testing specific tutorials. So feel free to drop me a line if you want to work together on documenting the process for sniffing Bluetooth with a USRP1.
Cheers, Matt James Philput wrote: > Thanks Matt! Your information will help me a lot. I may try the USRP > route since I don't think my company will shell out the cash for the > commercial sniffer.. > > Regards, > James > > On Wed, Sep 22, 2010 at 3:43 PM, Matt Neely > <[email protected] <mailto:[email protected]>> wrote: > > James, > > Sniffing Bluetooth is a lot harder then sniffing 802.11. This is > because > of the frequency hopping Bluetooth uses and the lack of a monitor or > promiscuous mode in consumer Bluetooth hardware. To capture > traffic I'm > aware of a couple of options. > > 1) Purchase a commercial Bluetooth sniffer > (http://www.fte.com/products/fts4bt.aspx). Cost around 10K. > 2) Flash a commercial firmware onto consumer dongle. This would be > illegal so I'll leave this for you to research on your own. > 3) Use a USRP1 or USRP2 to capture the traffic. The USRP1 doesn't have > the bandwidth to capture the entire Bluetooth spectrum but there > is some > tricky you can do to make it sort of work. The USPR2 has more > bandwidth > so can capture the entire Bluetooth spectrum with fewer units. > Here's a > presentation on the topic > www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf > <http://www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf>. > > Even if you can't capture the traffic you still do some analysis > on how > secure the transmissions are. The main area I would look at is how the > device is handling encryption. IF Bluetooth's native encryption is > enabled three variables are used to setup the encryption key. The > encryption key is formed by combining the DBAddr (MAC Address) of the > two devices, the PIN and a random number exchanged by the devices. The > DBAddr and random number are both exchanged in the clear. So the > security of the encryption key ultimately lies in the PIN. So > figure out > how the PIN is set and synced between devices. Some devices do a very > poor job at selecting secure PIN codes. For example all wireless > headsets I’ve ever seen us the PIN 0000, 1234 or 1111. So although the > encryption key can be up to 128 bits the key space is really 3 > which is > pretty damn easy to bruteforce. So to determine an encryption key > all an > attacker needs to do is capture the initial part of the handshake a > bruteforce the PIN code. I’m pretty sure public tools exist to perform > this attack. > > Als ask the vendor if they use any transport layer encryption or > security outside of what Bluetooth offers. > > Here are a series of blog posts I've found useful when attacking > Bluetooth: http://www.evilgenius.de/category/bluetooth/. > > Here's a site on penetration testing Bluetooth that's a little out of > date but still might be helpful to you: > http://bluetooth-pentest.narod.ru/. > > Cheers, > Matt > > James Philput wrote: > > Hello All, > > I've recently been asked to look into what a couple of supposedly > > secure devices are transmitting via bluetooth. I've done a fair > amount > > of work with 802.11 traffic capture and analysis, but very > little with > > bluetooth. If any of you could give me some guidance on what > hardware > > and software works best for bluetooth traffic capture and analysis I > > would appreciate it. For the time being my company is primarily > > interested in what can be gotten from passive captures, but they may > > give me a couple of spare devices to attack in the future. > Thanks for > > the help! > > > > Regards, > > James > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > <mailto:[email protected]> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] <mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
