[liberationtech] How secure is Bluetooth?

Brian Conley brianc at smallworldnews.tv
Sun Jan 29 16:09:02 PST 2012 

See my first email please.

Are there any documented cases of monitoring the audio transmitted between
a Bluetooth headset and phone.

I am quite aware that Bluetooth is not safe for a variety of reasons.

When preparing advice for non technical people with very real security
problems that are known, its important to provide the best advice about
what is not known in their situation. I've been unable to find any
information on the viability of intercepting audio transmissions, even the
2007 article doesn't appear to suggest for certain that they could
reconstruct the audio file, merely that the potential might be there.

I'm only asking if anyone has heard of documented cases of listening in to
Bluetooth audio. So far it only seems to happen if there is a prior exploit
in place and that doesn't even appear to be definitive.
On Jan 29, 2012 3:52 PM, "Matt Mackall" <mpm at selenic.com> wrote:

> On Sun, 2012-01-29 at 14:47 -0800, Brian Conley wrote:
> > Thanks Jacob,
> >
> > I expected you'd reply thusly. The implementation I'm talking about
> > doesn't appear to be compromised based on what I've read in the links
> > you've provided. The first link, from usenix, seems to be most
> > damning, however doesn't appear to suggest that the packets from a
> > voice call can be put back together in such a way they can be listened
> > to. Even if that is true, it appears based on what I'm reading that,
> > at most, current tools as of that paper, would only enable yo to
> > listen to, at most, 2.4 seconds of audio from a one minute call.
>
> Ok, so two academics in '07 get 90% of the way to a fully-working
> attack, but are stymied by a silly timing limitation in the
> software-defined radio they had on hand. They could trivially fix it by
> dropping another $1k on a second USRP for leapfrogging to the next
> channel, given that they _have exposed the hopping pattern_.
>
> And you conclude... "not compromised". Huh.
>
> I conclude "compromised for all practical purposes": I could take their
> paper and $2000 and build a fully-working attack if I had the
> motivation. As could any motivated interception capability vendor. Odds
> that this capability already exists: rapidly approaching unity.
>
> Also note that recording the traffic on all 79 3Mbit/s channels is
> trivially within the capabilities of any organization that designs its
> own hardware. This IC has programmable hop parameters and is < $5:
>
> www.atmel.com/atmel/acrobat/doc1612.pdf
>
> Slapping 79 of those on a board with a high-gain antenna and a USB
> interface left as an exercise for the reader.
>
> --
> Mathematics is the supreme nostalgia of our time.
>
>
>

More information about the liberationtech mailing list