Bluetooth Sniffing Pt.1

Most people will know sniffers for 802.11 Networks. One of them is Kismet. While sniffing with Kismet the Wireless Network card is set into raw monitoring mode. In this mode the card basically listens for all incoming traffic on a specific channel.

The main differences between 802.11 networks and Bluetooth are:

  1. A Bluetooth connection is not using one specific channel, it hops over 79 different channels, changing the channel every 0.625 seconds in a pseudo random sequence. That’s called FHSS (Frequency-hopping spread spectrum).
  2. You don’t have that much control over your Bluetooth hardware – the radio and baseband layer are insulated from you by a layer called “HCI” (Host Controller Interface). You can only control these lower layers with predefined HCI commands.

As you can see, sniffing Bluetooth is not as easy as in 802.11 Networks: Buy your regular hardware, put it into monitoring mode and lean back. For Bluetooth it is a little bit more difficult. For now, the only way for sniffing a Bluetooth connection is to sniff on your local device’s HCI layer, but this will only let you see the traffic that is passed through the HCI Layer from devices that connect to you. Hcidump from Bluez is such a sniffer. That’s a start, but not to good. You will often want to see what’s going on on the baseband and radio layer. The only way to do this is to sniff on the Air.

There are two ways to do this:

  1. A device, which monitors the whole 79 Channels at the same time and is able the differentiate between Piconets
  2. A device, which is able to follow the hopping sequence of the Piconet.

Option number one: Forget it. I mean, of course it might be possible but you would need the hardware to monitor 79 channels, implement the logic to differentiate between different Piconets – I guess this device would cost at least a few ten thousands of Euro.

For the other option, you need to be able to follow the hopping sequence of the Piconet. Since the hopping sequence depends on the Masters Bluetooth device address and internal clock, you just have to find out these two informations (which isn’t to hard) and follow the Piconet’s hopping sequence with your device. The easiest way to do this would be using your regular Bluetooth Dongle with some kind of modified Firmware, with which you could control the sniffer’s hopping sequence. The problem with creating your own Firmware for your Dongle are the manufactures. They won’t give you enough information on the Bluetooth chip.

There are serveral Bluetooth sniffers out there which are doing exactly this. For example FTE’s FTS4BT or LeCroy’s Merlin II. But what you really want is an Open Hardware Blueooth device with Open Source firmware in it. A viewer is already available, our network protocol analyzer of choice, Wireshark (former Ethereal), is already supporting Bluetooth capture files.

Since a commercial Bluetooth Sniffer would cost you around 10.000$, a Open Source Bluetooth Sniffer would be pretty cool.

3 thoughts on “Bluetooth Sniffing Pt.1”

Comments are closed.