Information about http://www.remote-exploit.org/research/busting_bluetooth_myth.pdf
Busting The Bluetooth® Myth Getting RAW Access aka "Transforming a…
Tags: answering the question, bluetooth dongle, bluetooth dongles, bluetooth sniffer, cambridge silicon radio, chipsets, commercial software, firmware files, installation directory, linux, linux box, moser, myth, remote exploit, rumours, silicon, target, usb devices,Pages: 2
Language: english
Created: Fri Mar 30 20:21:43 2007
Display cached document
Page 1
Page 2
Busting The Bluetooth® Myth Getting RAW Access
aka "Transforming a consumer Bluetooth® Dongle into a Bluetooth® Sniffer"
Max Moser
http://www.remote-exploit.org
Introduction Analyzing Other Content
During the last year, rumours had come to my Within the installation directory of the
attention that apparently it is possible to unnamed commercial Sniffer package, I
transform a standard 30USD Bluetooth® spotted .dfu3 files which appeared to be some
dongle into a full-blown Bluetooth® sniffer. sort of firmware files.
Thinking you absolutely need Hardware to be
able to hop 79 channels 1600 times a second I Finding Useful Target Dongles
was rather suspicious about these claims. After finding references to CSR driver/chipsets
in the installation package I goggled for CSR
This paper is the result of my research into this based Bluetooth® dongles.
area, answering the question whether it is It is not that easy to find one which is for sure
possible or not. CSR based but eventually I found a few and
purchased them.
Analyzing Drivers
I used 4 different dongles during my tests, and Hint : When you insert a Bluetooth® dongle
these used the very same chipset from CSR. into your linux box, you can use "lsusb" or
However I noted that the features they offer "usbview" to show all connected usb devices. I
were different and as such assumed that it was supprised that 2 of my 4 dongles are
must be the firmware that offers most of showing me a familiar value of:
them.
0xa12:0x0001 Cambridge Silicon Radio
For an overview about what is actually
required to promiscuously sniff Bluetooth® I Analyzing CSR Chipset And Its Abilities
downloaded commercial software that is freely By searching through the CSR website for
available to everyone and inspected the files more information I discovered a lot about the
that come with the packages. Within the INI1 Implementation of the various Bluetooth®
files I stumbled across drivers for a chip made features in their chipsets, and I recognized
by CSR (Cambridge Silicon Radio). In a that the chip has different "stores" (Memory).
specific section there are all the devices listed
including their unique USB® vendor ID (VID) I suddenly remembered a Bluez tool called
and product identifier (PID). btaddr which can change a Bluetooth® USB
dongle BTaddress, so I wondered whether the
A regular CSR BlueCore2 device has the value: ProductID can be changed using the same or
similar techniques.
"USB\VID_0A12&PID_0001"
Soon I realised that by using the tool bccmd
By further analyzing the files available in the from the bluez CVS tree, I can completely read
commercial Bluetooth® sniffer package, I and partially write to the dongles different
recognized that the driver used within that storage areas, including the areas where the
package identifies itself as: Bluetooth® vendor and product id are stored!
"USB\VID_0A12&PID_0002" I gave it a try and successfully modified my
PSF store to hold now the desired values of:
The difference being only the digit at the end
of the VID. I now have the VID the commercial 0xa12:0x0002
sniffing tool seems to be expecting.
3
1
http://en.wikipedia.org/wiki/INI_file http://acronyms.thefreedictionary.com/Device+Fir
2
http://www.csr.com/products/bcrange.htm mware+Upgrade
Installing The Drivers In Windows Resume
Using my modified dongle I tried to install the I like to state here very clear, that I did this all
drivers supplied by the commercial software's for educational research purposes and am
viewer version. And it did work! The drivers quite shocked that this all was possible. It
recognized the dongle as a genuine part of the seems that the rumours are true and sniffing
sniffer product package. Bluetooth® is not a matter of expensive
hardware, but of proprietary firmware and
Flashing The Dongle With The software.
Commercial Firmware
Wondering whether there is a way to upload This means that the Bluetooth® is much more
the dfu files I found in the installation package vulnerable to sniffing than expected for
onto the dongle, I came across software called months and that this security through
dfutool, also part of the Bluez utilities. I tried obscurity approach might have opened the
to flash the commercial firmware onto the stick gates for the Black hats discovering holes
and guess what.... no errors... I was shocked. before we do.
It seemed like the stick is now flashed with
their firmware version. About the Author
Max Moser is the founder of remote-exploit.org
I re-inserted the stick in my Linux computer and works currently for Dreamlab Technologies
and did see RAW as feature within my Ltd. as Security Analyst and Tester.
hciconfig output, in addition I see the RX and
TX number of bytes rising.
So now we have an exact copy of the
commercial hardware sniffer, with the correct
firmware, correct vendor and product ID. One
question remains "Will it sniff?".
Luckily I was able to find a person that owns a
licensed version of the sniffer and finally was
able to test it.
I found out that prior to using the dongle I
have to configure it with their configuration
tool. This was not as easy as planed, but after
changing the MAC address of my modified
dongle to the same value as the licensed one,
it was working as expected.
Conclusion
Most stuff is not done in hardware but
software, that was a widely spread myth
The price is not a hurdle for Black hats
It should be possible to code a Linux
sniffer