evilgenius » bluetooth

NIST: Guide to Bluetooth Security

hosh — Wed, 08 Oct 2008 21:12:57 +0000

The Computer Security Devision of the National Institute of Standards and Technology (NIST) have released their Guide to Bluetooth Security. Just had a short look at it, but I think it worth to read it. Especially the part about the new security features of Bluetooth 2.1 with Secure Simple Pairing (SSP). There are also some other quite interesting publications around.

Counter measurements of FTE against copying their Bluetooth sniffer

hosh — Thu, 04 Sep 2008 19:54:49 +0000

Seems that FTE is finally reacting on the fact that you can easily copy their Comprobes firmware to other, regular Bluetooth USB dongles. First, with their new hardware they released earlier this year, also the structure of the firmware has changed. Therefore the newer firmware wont work out of the box the good old way.

Second they seem to have changed their licensing policy. You have to register your software (with your license key) of FTE4BTonline. And, that’s the funny thing, seems that you also have to ‘de-register’ your software online. Means: when you want to install your software somewhere else, de-install it on the other PC and ‘de-register’ it online. Then install it on the other PC. What happens when your old PC is br0ken? No idea.

Anyway.. maybe that way more people will be interested in building their own and free Bluetooth sniffer.

CBBQWE08 and Secure Simple Pairing

hosh — Wed, 18 Jun 2008 22:29:30 +0000

This weekend the CBBQWE08 will take place in Dortmund, Germany, Old Europe. It’s organized by the CCC Dortmund there will be some lectures – I will give an overview of the new security features of Bluetooth Secure Simple Pairing – but the main focus of the event is the BBQ and having some fun. I hope it will be good weather.

Slides for modifying your BT dongle into a sniffer

hosh — Fri, 28 Mar 2008 23:37:21 +0000

Remark: FTE changed something in their firmware, therefore the described way does not work anymore!

Found this slides, which give you a nice 20min walk through for changing your BT dongle to a BT sniffer.

World’s smallest Bluetooth Dongle?

hosh — Tue, 04 Mar 2008 22:59:20 +0000

Hi, there!

Look what I found on a business trip in the US, I am not sure if it’s the world’s smallest Bluetooth Dongle – but a least the smallest I know.

Unfortunately it’s not the world’s smallest Bluetooth sniffer, because it’s a ROM and you can’t update it

$ hciconfig hci0 revision hci0: Type: USB BD Address: 00:de:ad:be:ef:D0 ACL MTU: 310:10 SCO MTU: 64:8 Unified 21e Chip version: BlueCore4-ROM Max key size: 128 bit SCO mapping: HCI

24C3: Bluetooth Stuff

hosh — Fri, 28 Dec 2007 21:06:50 +0000

Hi there! Greetings from 24C3, the annual hacker meeting of CCC. Some updates on Bluetooth related stuff:

Balle released a new version of bluediving, now available in version 0.9.

A funky new tool has been released at this congress: bluedrift. What driftnet is for ethernet, bluedrift is for Bluetooth. Using a special Bluetooth dongle which is capable of being flashed, you are now able to automatically sniff Bluetooth traffic and extract OBEX data, e.g. electronic vcards or pictures, from your sniff.

Another project I didn’t know before is the Wave Bubble by ladyada: “A design for a self-tuning portable RF jammer”

Best cite of the congress: “MIT doesn’t teach you how to fuck GSM-Networks” — Ladyada

iPhone’s Bluetooth Bug and the Metasploit Framework

hosh — Sat, 29 Sep 2007 20:21:55 +0000

As balle already pointed out, there is a major Bluetooth Bug in iPhones. The SDP-Service can be exploited to execute arbitrary code. The funny thing with iPhones is, that even when Inquiry Scan is disabled (“hidden Bluetooth device”) it’s easy to find out the Bluetooth Address of an iPhone: The WiFi-address is the Bluetooth address incremented by one. When you know the MAC Address of the iPhone, you also know the Bluetooth address.

Another interesting thing: The Metasploit Framework about to be ported to the iPhone. All the applications seem to run as UID 0 on the iPhone – this is going to be fun!

Source: Computerworld

Write your own CSR Firmware!

hosh — Thu, 16 Aug 2007 15:54:18 +0000

Darkircop have released their tools for reverse engineering CSR Firmware. The tools include a disassembler dis.c for disassembling official firmware. An assembler as.cc for writing your own firmware is also included. With these tools you are now able to write your own firmware for your CSR based Bluetooth Dongle, which might even include raw access for Bluetooth sniffing. The source code for sniffing Bluetooth under Linux included, too.

It might even be possible to port the techniques for finding hidden Bluetooth devices described in this paper onto a CSR dongle. In the paper GNU Radio with USRP was used. The source code used for this attack can be downloaded, too.

Updates on Aircable Host XR (30km Bluetooth Link)

hosh — Mon, 13 Aug 2007 16:30:07 +0000

Anonymous did send me some pictures of the Aircable Host XR. It has a CSR BC4 Chipset (CSR BC417-143BQN) and you can update its firmware. In combination with the SMA Connector for the antenna and its high sensitivity, this device might be an interesting BT-Sniffer.

As HF frontend an Atmel T7024 is used with a power output of 23dbm which is around 200mW (usually you have around 100mW).

Aircable Host XR Firmware (DFU)

Bluetooth 2.1 Specification public now

hosh — Wed, 01 Aug 2007 21:36:53 +0000

The new Bluetooth 2.1 specification has been made public today. You can download it now. Core features of the 2.1 spec:

Secure Simple Pairing
Reduced Power Consumption