[liberationtech] How secure is Bluetooth?

Sun Jan 29 14:47:00 PST 2012

Thanks Jacob,

I expected you'd reply thusly. The implementation I'm talking about doesn't appear to be compromised based on what I've read in the links you've provided. The first link, from usenix, seems to be most damning, however doesn't appear to suggest that the packets from a voice call can be put back together in such a way they can be listened to. Even if that is true, it appears based on what I'm reading that, at most, current tools as of that paper, would only enable yo to listen to, at most, 2.4 seconds of audio from a one minute call.

I figured this by determining that 1600 channel hops over 79 channels in one second equates to 4% of the packets being intercepted, ie 4% of one second! I will provide the caveat that I am not a math whiz, but I believe I've done my calculations correctly. So, although this accounts for 2.4 seconds of TOTAL audio per second, thats 2.4 seconds made up of 60 increments of 4%, hardly useful for listening in!

Again this is of course based on the assumption current technology cannot effectively monitor all 79 channels constantly for the duration of the call. However it also makes the assumption the data packets can be reconstructed into audio.

I'm looking to accurately document the security risks of Bluetooth, the number one issue I'm looking at given the implementation I'm considering, is whether or not an audio call can be listened to. The next question of course is that, if 4% of the packs can be intercepted, what data is contained in this packet BESIDES the audio? Is the phone number contained or only some kind of serial number?

It's crucial to know that Bluetooth is insecure and may at some future date be completely unreasonable for communications, however it's equally essential to know the practical implications at the current moment, in order to determine the likelihood any particular bad actor has access to the current technical tools.

For example, what is the likelihood at any given moment that a bad actor can identify an unknown person, who is currently tying their phone to a Bluetooth headset and making a phone call, and what is the likelihood the bad actor can then monitor/record that call? So far, while not outside the bounds of the conceivable, appears to be an incredibly remote risk.

Of course the likelihood of a known individual being monitored is higher, though it still, so far, appears to be remote.

Sent from my iPad

On Jan 29, 2012, at 14:11, Jacob Appelbaum <jacob at appelbaum.net> wrote:

> On 01/29/2012 02:02 PM, Brian Conley wrote:
>> Hi all,
>> 
>> I've been thinking about a variety of applications for Bluetooth the last
>> year or so, finally getting down to business, but I'm increasingly
>> wondering about the security of transmissions via bluetooth devices, voice
>> in particular.
>> 
>> Does anyone know of documentation of *current* exploits that allow the
>> interception or "listening in" of calls over Bluetooth headsets?
>> 
>> It seems that it may be technically feasible to create a device that could
>> pick up the audio transmissions between a Bluetooth enabled phone and a
>> paired Bluetooth headset, but has this actually been documented? Given the
>> need to pair two devices in order to follow a radio frequency that hops
>> 1600 times per second, allegedly randomly, it feels like the easiest way to
>> prevent this is keep the phone in your possession, and never pair with an
>> unknown Bluetooth device.
>> 
>> That said, has any one else seenf a documented manner to "receive" the
>> transmission between the two devices and follow it for the duration of a
>> phone call?
>> 
> 
> Bluetooth is fucked from a security perspective:
> http://www.usenix.org/event/woot07/tech/full_papers/spill/spill_html/
> 
> You need to acquire one USRP and the proper daughter boards:
> https://encrypted.google.com/search?q=bluetooth+intercept+usrp
> 
> Alternatively, an UberTooth:
> https://www.securepla.net/ubertooth-is-so-sweet-it-hurts/
> http://sourceforge.net/projects/ubertooth/files/
> 
> Bluetooth has been killed by h1kari and NRuns:
> https://encrypted.google.com/search?q=h1kari+bluetooth
> 
> Don't use Bluetooth for anything security sensitive, please.
> 
> If you're in Seattle, I think you can buy one of the UberTooth boards in
> person in Capitol Hill at Ada's books.
> 
> All the best,
> Jacob
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech