Aghaster

Bluetooth Sniffer

24 posts in this topic

Busting Bluetooth Myth

After reading this article, I thought I might try to get a USB dongle that has the BlueCore-4 Ext chip in it, so that I may try to modify the dongle just like this security researcher did.

However, it is kind of hard to find what chip is in each USB dongle that comes with various hardware. I thought I might get one cheap with a laptop mouse or a wireless keyboard. Has anybody ever made a bluetooth sniffer? Has anybody played with this? Is this the only way to make a cheap bluetooth sniffer, let alone make a bluetooth sniffer?

I have a wireless RocketFish keyboard that uses a bluetooth, but unfortunately the USB dongle that comes with it has a Broadcom chip in it. Broadcom does not really give you access to the same stuff as the one who does the BlueCore4 chip. The BlueCore4 chip has an SDK and a lot of documentation that comes with it, so that's why it is easier to modify a dongle that has one.

Thanks for your help. I have also found that there is documentation for a reference USB dongle that uses the BlueCore4 chip, they call it NanoSira.

0

Share this post


Link to post
Share on other sites

The NanoSira bluetooth dongle can be bought from digikey for $100... which is expensive. The author of the article said he used a $30 bluetooth dongle.

After further googling, I found this thread which gives a list of bluetooth dongles that have the BlueCore4-Ext chip:

Acer Bluetooth Stick - BC2-EXT

Linksys USBBT100 Rev 1

D-Link DBT-120 Rev C1

DELOCK 61478

A7 eb502-HCI

Fujitsu Siemens BLUETOOTH V2.0 - BC4-EXT -there are no known revision for this dongle

Toshiba PA3455U-1BTM

Aircable Host XR

Cellink BTA-6030 Bluetooth Adapter

I then searched for where to buy some of them, and the cheapest seem to be the D-Link DBT-120 Rev C1. I don't know if the one on newegg.com is the Rev C1, but it is 25$ with a 10$ mail in rebate (15$ in the end). Offer available until the 31th of this month. Get it here, I think I'll order one right away.

Edit: Damn, newegg.com does not seem to ship to Canada. I found it on tigerdirect.ca for $42 :(

Has anybody found a place to buy the fujitsu siemens bluetooth 2.0? I can only find places in europe.

Edit 2:

Both the USBBT100 and the DBT-120 are Bluetooth 1.1 devices, I cannot find one that I could buy in Canada that supports 2.0. I guess if I buy a bluetooth 1.1 dongle I won't be able to get it to work with all devices, supposing that some of them might be using bluetooth 2.0.

0

Share this post


Link to post
Share on other sites

What's written in the article makes perfect sense, he has replaced the firmware of the bluetooth dongle and changed the MAC address to match the appropriate block so that the paid-for sniffing application accepts it.

He doesn't say which application he used, but my money is on:

http://www.fte.com/products/FTS4BT-06.asp

Not cheap, around the $10K mark for each license/dongle. If you have managed to find a source of 'ripped off' firmware, then you might be able to get something going. They did have a demo for download around Oct 2006...

Cheers,

Mungewell.

0

Share this post


Link to post
Share on other sites
What's written in the article makes perfect sense, he has replaced the firmware of the bluetooth dongle and changed the MAC address to match the appropriate block so that the paid-for sniffing application accepts it.

He doesn't say which application he used, but my money is on:

http://www.fte.com/products/FTS4BT-06.asp

Not cheap, around the $10K mark for each license/dongle. If you have managed to find a source of 'ripped off' firmware, then you might be able to get something going. They did have a demo for download around Oct 2006...

Cheers,

Mungewell.

I think you are right on it. Quite funny you can get the same thing for just 30$ when it is sold for $10K mark

Also, I'm having problems getting a bluetooth dongle in Canada. The best would be a Fujitsu Siemens Bluetooth 2.0 (Europe only) or a DLINK DBT-120 (US + Europe). Do you live in a place where it is easier to buy one? Damn, all the american online sellers charge between 30 to 50$ of SHIPPING alone to send to Canada... It is so frustrating, I don't know what justifies such prices for a small bluetooth dongle.

0

Share this post


Link to post
Share on other sites

FINALLY!!! I just bought mine, a DLINK DBT-120 for about 40$ CAN. They are listed on ebay for $18.60 US, here. Very cheap price, get them before they are gone! There are still 11 left at the time of this post. It was very hard to find a good deal that could ship to Canada. As some people said on IRC, Canada is the e-third world...

:D

0

Share this post


Link to post
Share on other sites

I have just received my DBT-120 USB Bluetooth adapter Rev C1, bought from ebay (link in my previous post). I am currently on Backtrack3 following instructions very carefully on how to install the special firmware on it. So far so good, I've verified that it had the good chipset:

bt ~ # hciconfig hci0 revision
hci0: Type: USB
BD Address: 00:17:9A:2A:FF:58 ACL MTU: 384:8 SCO MTU: 64:8
HCI 19.2
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI

I'm following DrGreen's guide here.

I will post more info when I'll get it working :)

0

Share this post


Link to post
Share on other sites

does it mean you can sniff passphrase and access for instance mobile phone without pairing and browse the content ?

0

Share this post


Link to post
Share on other sites
does it mean you can sniff passphrase and access for instance mobile phone without pairing and browse the content ?

Hum... that's not the same thing, I think it is called bluesnarfing. However, if you can sniff the pairing process with this bluetooth sniffer, you can use btcrack to crack the PIN. You could then use the PIN to do some bluesnarfing.

0

Share this post


Link to post
Share on other sites

so what can you do with all those sniffed packets ?

is it possible to recreate voice conversation ?

0

Share this post


Link to post
Share on other sites
so what can you do with all those sniffed packets ?

is it possible to recreate voice conversation ?

The videos and I've seen that did that used the PIN to pair with the device, and then get the audio, and even inject audio with the carwhisperer tool. Most of the time the PIN is just 0000 so you do not even need to crack it. The sniffer would be useful for cracking the PIN if it is something hardly guessable. If you want to intercept the communication without pairing with the device, then I guess you could reconstruct it with the packets, but I'm not sure if there are tools to do it. It would make a nice programming project.

0

Share this post


Link to post
Share on other sites

I also got my DBT-120 USB Bluetooth adapter Rev C1 and following DrGreen's guide on the backtrack forums.

Thanks for the link Aghaster.

c

0

Share this post


Link to post
Share on other sites
I also got my DBT-120 USB Bluetooth adapter Rev C1 and following DrGreen's guide on the backtrack forums.

Thanks for the link Aghaster.

c

Great :) I have flashed my DBT-120 with the firmware, but it looks like I need a second dongle to scan for other devices (the sniffer cannot do it, it is set to receive all RAW packets). I have a Rocketfish bluetooth dongle that came with my bluetooth keyboard, but even if the keyboard works out of the box, the dongle itself has problem being recognized as a bluetooth adapter. This is a problem as I need it to be recognized as a bluetooth adapter in order to use the scanning tools to let my sniffer find the devices to sniff. I will buy one of those very cheap bluetooth adapter (Broadcom, it does not matter I think for the adapter I use for scanning) from a cheap electronics store.

0

Share this post


Link to post
Share on other sites
inject audio with the carwhisperer tool

As if those folks didn't look schizophrenic enough, does this mean I could use that to be the voice of God?

0

Share this post


Link to post
Share on other sites
The sniffer would be useful for cracking the PIN if it is something hardly guessable.

and you bought that dongle only for this purpose ?

0

Share this post


Link to post
Share on other sites
The sniffer would be useful for cracking the PIN if it is something hardly guessable.

and you bought that dongle only for this purpose ?

No, you want to do this. I'm not interesting in intercepting voice conversations from bluetooth headsets or pulling information out of phones. I want to intercept the communication between my bluetooth keyboard and my computer and try to crack it. And that requires a bluetooth sniffer.

0

Share this post


Link to post
Share on other sites
The sniffer would be useful for cracking the PIN if it is something hardly guessable.

and you bought that dongle only for this purpose ?

No, you want to do this. I'm not interesting in intercepting voice conversations from bluetooth headsets or pulling information out of phones. I want to intercept the communication between my bluetooth keyboard and my computer and try to crack it. And that requires a bluetooth sniffer.

The FTE/FTS software can be installed in Demo/Viewer only mode without a key. The default install contains some sample captures which show how powerful the sniffing is, if your sniffer is active from before any connection is made between the two target devices then EVERYTHING is decodable.....

post-7512-1220372288_thumb.png

Cheers,

Mungewell.

0

Share this post


Link to post
Share on other sites

I bought a second dongle today but I still cannot find any device with it. I don't know what is going wrong.

jacob:/home/aghaster# hciconfig hci1
hci1: Type: USB
BD Address: 11:11:11:11:11:11 ACL MTU: 672:3 SCO MTU: 48:1
UP RUNNING PSCAN ISCAN
RX bytes:937 acl:0 sco:0 events:22 errors:0
TX bytes:338 acl:0 sco:0 commands:27 errors:0

(I did hciconfig hci1 up before that)

and then if I try scanning for devices:

jacob:/home/aghaster# hcitool -i hci1 scan
Scanning ...
Inquiry failed: Connection timed out

I don't know what is wrong, I have my bluetooth headset nearby and my bluetooth keyboard, it should be able to find it.

I'm getting a bit lost... maybe I should try to use the Windows tools but I wanted to do it on Linux with the open source tools, to avoid relying on the demo software.

Edit: I was able to find one device, which was my phone when I set it in discoverable mode...

0

Share this post


Link to post
Share on other sites
I'm getting a bit lost... maybe I should try to use the Windows tools but I wanted to do it on Linux with the open source tools, to avoid relying on the demo software.

I think that you are setting yourself quite a hurdle by attempting not to use the FTS software. Unlike 802.11, Bluetooth is actually pretty secure by design. Once the communication is established, the frequency changes in time slices and these changes can be psuedo random. There are 79 channel each 1MHz wide starting at 2.402GHz and finishing at 2.480GHz.

In order to snoop you will have to control your 'sniffer dongle' to some degree in order to make it follow the jumps of the monitored pair. You will also have to grab/work out what the encryption key is, which is negoiated when a channel is brought up between peers.

If you really want to read up on Bluetooth, it looks like the core specification documents are available here:

http://www.bluetooth.com/Bluetooth/Technol...Specifications/

If you want to ask specific questions, PM me and I'll try to help.

Cheers,

Mungewell.

0

Share this post


Link to post
Share on other sites
I'm getting a bit lost... maybe I should try to use the Windows tools but I wanted to do it on Linux with the open source tools, to avoid relying on the demo software.

I think that you are setting yourself quite a hurdle by attempting not to use the FTS software. Unlike 802.11, Bluetooth is actually pretty secure by design. Once the communication is established, the frequency changes in time slices and these changes can be psuedo random. There are 79 channel each 1MHz wide starting at 2.402GHz and finishing at 2.480GHz.

In order to snoop you will have to control your 'sniffer dongle' to some degree in order to make it follow the jumps of the monitored pair. You will also have to grab/work out what the encryption key is, which is negoiated when a channel is brought up between peers.

If you really want to read up on Bluetooth, it looks like the core specification documents are available here:

http://www.bluetooth.com/Bluetooth/Technol...Specifications/

If you want to ask specific questions, PM me and I'll try to help.

Cheers,

Mungewell.

Hum yeah but the guides I've seen on the internet use the linux tools :/

0

Share this post


Link to post
Share on other sites

Bluetooth is definitely not secure. Yes it does frequency hopping, but it's insanely easy to crack the encryption used for bluetooth transmissions and intercept traffic. Re-pair attacks have been around for a long time for bluetooth devices and now as states such as California are requiring people to use hands free devices while driving there are more and more people who have bluetooth constantly enabled on their phones.

0

Share this post


Link to post
Share on other sites

Sorry to dig up an old thread but has anyone gotten carwhisperer to work?

Can I use any old bluetooth device?

I went ahead and bought a D-Link DBT-120 (hopefully it'll be use to me)

I've tried bluebugger, bluesnarfer, bluesmash, and I'll soon try carwisperer although bt3-4 has that one setup wrong so...

Edited by DeAuthThis
0

Share this post


Link to post
Share on other sites

Not to double post but I'm still struggling with this and it was an expensive adapter

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now