Bluetooth Class of Device/Service (CoD) Generator
Continue reading Bluetooth Class of Device/Service (CoD) Generator
All posts by hosh
Hacking HID devices
Collin Mulliner did already present an attack on Bluetooth based HID devices. Luis Miras recently presented a similar attack on regular RF HID devices at CanSecWest. The hardware part is pretty interesting, check out the slides!
Updates on Wi-Fi Security
There were some pretty interesting things developments during the last few weeks:
- aircrack-ptw or Breaking 104 bit WEP in less than 60 seconds. Works great! There is a tutorial “How to crack WEP with no clients” which helps you to generate the necessary ARP packets.
- Lorcon – Loss Of Radio CONnectivity. 802.11 packet generator implementing an hardware abstraction layer – you don’t have to mess around with WiFi drivers anymore. From now on Lorcon does this for you.
- Pretty interesting slides on Wi-Fi fuzzing from Black Hat Europe.
Happy hacking. 🙂
Bluetooth Sniffing Pt. 1.7
The last weeks there where some rumors about “Bluetooth Sniffing for everyone”. Max Moser released a paper in which he is describes how to modify a regular Bluetooth dongle into a full featured Bluetooth Sniffer using Frontline’s FTS4BT software.
The Software is available for free, the firmware you need to convert a Bluetooth dongle into a sniffer comes with the Software. All you need is a serial number to run the Software. The media give the impression that now everybody can easily sniff Bluetooth.
But in fact, Bluetooth Sniffing is not that easy. To successfully sniff Bluetooth connection you always have to know at least one of the Bluetooth addresses used in a piconet. And not only that, you also have to know whether the device is master or slave of the piconet and if it’s inquiry or page scanning.
If the connection is encrypted you even need more information. You need to know the other devices Bluetooth address, too and you have to know the Link Key the two devices are using for their connection. You could obtain the Link Key by sniffing the Pairing Process and then use btcrack to brute force the Link Key. When the two devices are already have been paired you first have to deauthenticate them.
Of course all the information you need would be possible to get, but in fact sniffing Bluetooth is not that easy as sniffing Wi-Fi.
Another point is, that the sniffers used right know don’t seem to work pretty good at distances, therefore you have to be very close to your devices. All in all, even I am not sure if it would help using antennas or not. In my opinion, with state-of-the-art hard- and software it is nearly impossible to successfully implement an eavesdropping attack in field on an encrypted connection.
But let’s see what the future brings. If somebody finds out how the RAW-Packets of the Frontline firmware are passed through HCI it would be possible to use the sniffer hardware with custom software which features scripting making everything easier. Another possible scenario, described earlier in another post might become possible: build a device which can sniff all 79 channels simultaneously. Just take 79 dongles – one dongle for one channel. This way you wouldn’t have to manually synchronize one dongle to the piconet’s hopping sequence.
Bluetooth Dongle with CSR chipset and flash or external memory using Flash
These are some Bluetooth dongle, which support changing firmware with dfutool and tuning with bccmd. There is no guarantee that they still support flashing and tuning when you buy them, because vendors often tend to change the hardware without further notice.
Fujitsu Siemens
BLUETOOTH V2.0 USB-Stick
Cellink BTA-6030 Bluetooth Adapter
Other Dongle which seem to work (see comments on this article. not verified.):
Toshiba PA3455U-1BTM
Linksys USBBT100 (newer ones have Broadcom chipset, older ones CSR but only Bluetooth 1.1)
Aircable Host XR