Bluesniff Slides
Bluesniff Slides
Bluesniff Slides
Background to Bluetooth
Operates in the 2.4GHz ISM band 1Mb/s transfer rate Up to 100m range
Primarily used as a cable replacement technology Shipped in most cell phones, PDAs and similar devices
Bluetooth Security
Bluetooth Overview
Master device
Initiates connection
Slave device
Response
Bluetooth Characteristics
XORed with pseudo-random stream of data Based on an internal (unknown) clock value
1600 hops/second
Whitening
A 7 bit register is initialized with 6 clock bits, the top bit is always '1' A stream of pseudo-random data is produced The stream is then XORed with the packet
Frequency Hopping
Hops chosen based on MAC and clock of master device Neither MAC nor clock are known
GNU Radio
Radio sampled in hardware All processing done in software Sample 5 Bluetooth channels simultaneously ~$700 Dedicated sniffing hardware, e.g. FTS4BT is ~$10,000
7MHz Bandwidth
Affordable
Demodulating Packets
Finding Packets
GNU Radio passes all demodulated data The Access Code starts and ends with either 0101 or 1010
Recovering Data
MAC address
Required for frequency hopping pattern Required for frequency hopping pattern Also needed for whitening
Clock value
User data
Assigned to manufacturer
Assigned by manufacturer
Split into Lower, Upper and Nonsignificant Address Parts Needed for
Packet Format
Unwhitening
Packet whitening is an obstacle to recovering the payload of any packet 64 possibilities small enough to brute force
Generate all 64 possible packets Used fixed/repetitive data to identify correct version Use 6bits of the clock to unwhiten further packets
UAP is used as input to HEC and CRC calculations Both calculations only use XOR and are entirely reversible
generates 64 candidate UAPs A match confirms the UAP and 6bits of the clock
Not required for selection of frequency hopping pattern But, is useful for some attacks
Used for identifying devices Needed for impersonating a device (man in the middle attack)
Some manufacturers are more likely than others to produce Bluetooth devices
LAP
Read directly from Access Code in the packet Reverse HEC calculation Check result with CRC Search OUI database for UAP Attempt to connect to devices to confirm
UAP
NAP
CSR and Dell more likely than Gibson Guitars or PanelLink Cinema
Use the known LAP and UAP to find and unwhiten packets
./packet_sniffer lap 0x00fac2 uap 0x5b Bluetooth packet sniffer DM1 Slots:1 clock: 32 payload header: 01100110 Start of fragment length = 12 0110011000010000000000000000001000000000110110001111011110010 0000101010101010101010101010101010111110001 Packet CRC:0111000100111000 CRC verified
Future Work
Frequency hopping
Bluetooth V2.0
Frequency Hopping
Problems
Frequency hops every 625s USRP takes 200s to retune GNU Radio buffering Use eight USRP devices to sample the entire range of Bluetooth data
Solutions
Only hop to every other frequency GNU Radio will be multi-threaded C++
Conclusions
Bluetooth packets can now be captured without the need for proprietary hardware or firmware It is now possible to discover the MAC address of some undiscoverable devices in under a minute, regardless of implementation Also possible to unwhiten packets without prior knowledge of the clock value