Bluetooth Security

domoKon · 13-05-2009 9:19pm #1

Just finished a college project on bluetooth security and was wondering has anyone else looked into this.

Found a couple of java apps for attacking from phone to phone but i'm more interested in PC to phone. I used BackTrack 3 with a bluetooth dongle and managed to get a DoS attack working which shut the phone off with no warning. All other attacks where unsuccessful, but I'm gonna still look into it over the summer.

I'm interested in peoples views, are these bluetooth attacks a thing of 4 years ago where it was relatively easy to gain access to bluetooth enabled phones? Has anyone had any success in testing bluetooth security and found vulnerabilities?

Martyr · 13-05-2009 11:37pm

i was interested in the btpincrack project looking at ways to optimise SAFER+ performance on desktop computers.

after some time researching info it became clear that good analysis required expensive hardware and i hadn't the money or interest after this point.

it might be interesting to look into Symbian OS, reverse engineering its bluetooth stack, since it has large market share of mobile devices, probably would raise few eyebrows.

in last 1 or 2 years, there has been more research into symbian exploits..
simple shellcodes can be written using gcc-arm toolchain.nobody (published publicly) has bothered to completely reverse how the kernel works so will be a while before we see anything..but it won't be too long.

arteam is good source of info on that stuff..

indeed, there are guys out there with the tools/software to break some systems that use bluetooth..i wouldn't use it for controlling access, just my own opinion.

JimmyCrackCorn! · 14-05-2009 2:53pm

Bluetooth has been hacked the crap out of

Try 23c3 video on it from a few years back covered basic auditing.

I cant remember the tools names but allot ran off the blues stack.

Usual things like pin cracking
Sniffing
Audio stream injection (car kits)

Martyr · 14-05-2009 4:55pm

A protocol analyser costs anything from $5,000 or more.. correct me if i'm wrong here but the hardware needed to fully test the security of bluetooth is too expensive for average joe..

the only other route is reverse engineering the software implementations, how many of you are willing to do that? :P

Lower the cost of the hardware required to sniff this type of traffic and more vulnerabilities would surface but that probably won't happen anytime soon.

domoKon · 15-05-2009 1:30pm

yeah its pretty expensive to get this equipment but I've seen some walkthroughs of turning a €20 usb dongle into a €5000 sniffing tool. One of the best is http://drgr33nsblog.blogspot.com/. Personally I haven't tried it cause you need a particular type of dongle.

I've seen that 23c3 vid, it actually got me interested in Bluetooth security, but as I said
I used the OS they use, BackTrack 3 with Bluebugger and Bluesnarfer etc, and was unsuccessful in any of these exploits. The only attack that was successful was overloading the buffer with packets which just crashes the phone.

thanks for the info on btpincrack Martyr, it wud be interesting to see if I manage to flash a usb dongle and see if the claims that it works as $5000 piece of equipment are true?

Martyr · 16-05-2009 1:24am

yeah its pretty expensive to get this equipment but I've seen some walkthroughs of turning a €20 usb dongle into a €5000 sniffing tool

wow..see what you mean

certain types of adapters allow firmware modification..gotta be an inside hack

if someone were willing to upload some bluetooth PIN pair captures..i'd be happy to play with PIN crackers, optimizing them, running them on GPU's..just for the fun.

i had been researching this stuff over 2 years ago and hadn't bothered checking since, but if thats true you can obtain certain adapters, modify the firmware, then use them to sniff BT traffic..i'm all up for researching how to crack the PIN faster.

Bluetooth Security

Comments