Busting The Bluetooth
Short summary:
Busting The Bluetooth. downloaded commercial software that is freely available to everyone and inspected the files that come with the packages. Within the INI 1 files I stumbled across drivers ...
Long summary:
Busting The Bluetooth Busting Introduction During the last year, rumours had come to my attention that apparently it is possible to transform a standard 30USD Bluetooth® dongle into a full-blown Bluetooth® sniffer. Thinking you absolutely need Hardware to be able to hop 79 channels 1600 times a second I was rather suspicious about these claims. This paper is the result of my research into this area, answering the question whether it is possible or not. Analyzing Drivers I used 4 different dongles during my tests, and these used the very same chipset from CSR. However I noted that the features they offer were different and as such assumed that it must be the firmware that offers most of them. For an overview about what is actually required to promiscuously sniff Bluetooth® I downloaded commercial software that is freely available to everyone and inspected the files that come with the packages. Within the INI 1 files I stumbled across drivers for a chip made by CSR (Cambridge Silicon Radio). In a specific section there are all the devices listed including their unique USB® vendor ID (VID) and product identifier (PID). A regular CSR BlueCore 2 device has the value: USB\VID_0A12&PID_0001 By further analyzing the files available in the commercial Bluetooth® sniffer package, I recognized that the driver used within that package identifies itself as: USB\VID_0A12&PID_0002 The difference being only the digit at the end of the VID. I now have the VID the commercial sniffing tool seems to be expecting. 1 http://en.wikipedia.org/wiki/INI_file 2 http://www.csr.com/products/bcrange.htm Analyzing Other Content Within the installation directory of the unnamed commercial Sniffer package, I spotted .dfu 3 files which appeared to be some sort of firmware files. Finding Useful Target Dongles After finding references to CSR driver/chipsets in the installation package I goggled for CSR based Bluetooth® dongles. It is not that easy to find one which is for sure CSR based but eventually I found a few and purchased them. Hint : When you insert a Bluetooth® dongle into your linux box, you can use lsusb or usbview to show all connected usb devices. I was supprised that 2 of my 4 dongles are showing me a familiar value of: 0xa12:0x0001 Cambridge Silicon Radio Analyzing CSR Chipset And Its Abilities By searching through the CSR website for more information I discovered a lot about the Implementation of the various Bluetooth® features in their chipsets, and I recognized that the chip has different stores (Memory). I suddenly remembered a Bluez tool called btaddr which can change a Bluetooth® USB dongle BTaddress, so I wondered whether the ProductID can be changed using the same or similar techniques. Soon I realised that by using the tool bccmd from the bluez CVS tree, I can completely read and ...
Source: www.remote-exploit.org
Related
Bluetooth Hacking - Full Disclosure, Bluetooth Hacking Full Disclosure @ 21C3.
Blue snarfing Data Theft Calendar
Appointments Images Phone Book Names,
Addresses, Numbers PINs and other codes
Images Bluetooth Hacking Full Disclosure
...,
more
Hacking Bluetooth Enabled Mobile Phones and Beyond, Bluetooth Scatternet. All security
routines are inside the Bluetooth chip.
Bluetooth Technology Data and voice
transmission ACL data connections SCO and
eSCO voice channels Symmetric and
asymmetric connections Frequency hopping
ISM band ...,
more
An Ethical Guide to Hacking Mobile Phones, Bluetooth Hacking. Bluejack Attack OBEX
Push Bluespamming Bluetoothing Modifying a
Remote Mobile Phones Address Book Fadias
Hot Tools for Bluejacking Countermeasures,
more
