[liberationtech] How secure is Bluetooth?

Brian Conley brianc at smallworldnews.tv
Sun Jan 29 23:05:42 PST 2012 

Thanks Jacob,

I was looking for documentation from someone who has done it, had it done
to them, or is offering a product for sale.

All I had found previously was documentation about sniffing, which is of
course well known. The FinBluez is interesting, however there are only 3
references in google, one to the document you linked that says it will be
available in 2008. Either it never came out, or was renamed.

However it seems clear that Ellisys and ConnectBlue both at least claim to
offer products that will do this. I was surprised that I found it so
difficult to locate something like this, since it seemed very likely it
existed.

Which brings us to the next question, what is the feasibility or likelihood
that an unknown individual, communicating via a bluetooth headset and
otherwise over secure means, can be located, targetted, and intercepted?

Although there are documented accounts of located bluetooth signals from a
kilometer+ away, would it be reasonable to create such a device in
combination with one of the sniffers that will decode audio on the fly?
That sounds reasonable to me, though it seems a limited enough use-case
that its unlikely its been developed, but much more unlikely to be refined
and distributed widely.

I would not be surprised if American intelligence agents might have
something like this, though in some ways it seems more likely governments
in countries more prone to bluetooth sharing would be more likely to have
developed such a tool, however it still seems very unlikely.

The case I am considering here is something like this:

Jane is an activist who is communicating via a phone that, for our
purposes, is secure except for her decision to use a bluetooth headset.
Jane is not a known activist nor likely to be targeted for special
monitoring. However the authorities are on a heightened sense of alert and
looking for activists. She makes, at most, one call per day, at different
times of the day, and from different locations. Her phone calls are kept
short, less than three minutes whenever possible, and certainly less than
five. Jane uses a Bluetooth headset because she wishes to be less
conspicuous making her phone call.

So what is the likelihood this person's Bluetooth traffic is being
monitored? It appears to me that the question "can this person's Bluetooth
traffic be monitored?" is decidedly yes. However the question "IS she being
monitored?" Is much more murky, however I could be missing something here.
Further it would be interesting to discuss whether any of the following
dramatically change the likelihood of her Bluetooth transmissions being
monitored:

A. the security of the phone itself
B. the timing of the call
C. the location of the call
D. the length of the call
E. the individual(s) she calls
F. ???

And yes, I agree, http://en.wikipedia.org/wiki/Bluetooth#Security is pretty
funny reading.

I think we'd all agree that one of the largest problems here, of course, is
the closed nature of the Bluetooth protocol, combined with its broad
adoption by manufacturers. That said, if you need to disguise the fact that
you are making a phone call, it may be the only option, unless a wired
headset is feasible.

Thanks as always for your time and consideration

Best

Brian

On Sun, Jan 29, 2012 at 10:23 PM, Jacob Appelbaum <jacob at appelbaum.net>wrote:

> On 01/29/2012 04:09 PM, Brian Conley wrote:
> > See my first email please.
> >
> > Are there any documented cases of monitoring the audio transmitted
> between
> > a Bluetooth headset and phone.
>
> I guess you're looking for some personal stories or big news stories?
>
> >
> > I am quite aware that Bluetooth is not safe for a variety of reasons.
> >
>
> Please note that your users will likely be targeted by cops with FinFisher:
> http://speciali.espresso.repubblica.it/pdf/spyfiles/it-intrusion.pdf
>
> > When preparing advice for non technical people with very real security
> > problems that are known, its important to provide the best advice about
> > what is not known in their situation. I've been unable to find any
> > information on the viability of intercepting audio transmissions, even
> the
> > 2007 article doesn't appear to suggest for certain that they could
> > reconstruct the audio file, merely that the potential might be there.
> >
>
> Audio is a weird way to frame it. You have devices that communicate with
> Bluetooth (TM) use common cryptography and protocols. The crypto is
> busted: http://en.wikipedia.org/wiki/E0_(cipher)
>
> This is a pretty funny read:
> http://en.wikipedia.org/wiki/Bluetooth#Security
>
> Overall, I think it's important to note that even if a device wasn't
> used in a discoverable mode, a sniffer can at least passively track and
> try to exploit devices nearby after seeing them transmit. This is likely
> similiar to Bluejacking:
> http://en.wikipedia.org/wiki/Bluejacking
>
> Here's a project that uses a car as an audio bug:
> http://trifinite.org/trifinite_stuff_carwhisperer.html
>
> > I'm only asking if anyone has heard of documented cases of listening in
> to
> > Bluetooth audio. So far it only seems to happen if there is a prior
> exploit
> > in place and that doesn't even appear to be definitive.
>
> R&S sells a solution to sniff traffic between two devices:
> http://www2.rohde-schwarz.com/file_13603/Bluetooth_Sniffer_v2.4.pdf
>
> "In  an  active  Piconet,  where  at  least  two  Bluetooth®  devices
> (one  master,  one  or  more  slaves)  interact  with  each  other,  the
>  USB  dongle  is  air  sniffing the communication  between  those.  This
>  analysis  is  required  to  check  interoperability  of  Bluetooth®
> devices  from  different  vendors  and  to  troubleshoot  problems  by
> detailed protocol decoding"
>
> Those guys also sell IMSI-catchers if you're in the market...
>
> This "Decrypting Encrypted Bluetooth data with FTS4BT" is also a good read:
> http://www.fte.com/docs/encryption%20and%20decryption%20in%20fts4bt.pdf
>
> Basically, the FTS4BT just needs the pin to decrypt the data and that's
> where h1kari's work comes in:
> http://openciphers.sourceforge.net/oc/
> http://openciphers.sourceforge.net/oc/btpincrack.php
>
> Bluetooth Pin Cracking Core says:
>
> "The bluetooth pin cracking core implements the basic bluetooth pin
> cracking attack by generating possible PINs and running then through
> SAFER+ to verify if they are correct or not. This uses the pipelined
> implementation of SAFER+ and loops the output of the pipeline back into
> itsself 7 times to perform all of the E21/E22/E1 functions. The max
> clock speed we've been able to run it at on an E-12 is 75MHz which
> results in ~10 million PINs per second compared to roughly 40k on a
> modern CPU."
>
> the openciphers project supports the protocol analyser files produced by
> these devices:
> http://www.lecroy.com/protocolanalyzer/?capid=103&mid=511
>
> This does HCI and air interface sniffing in sync:
>
> http://www.connectblue.com/products/sniffer-protocol-analyzers/bluetooth-sniffer-protocol-analyzer/
>
> Note the features of that one:
> "Extracts Audio into WAV files: Supports A2DP, HSP & HF Profiles with
> playback for rapid quality check or performing a more detailed analysis"
>
> And if all of that doesn't convince you that someone can sniff Bluetooth
> - I encourage you to read this student's web page:
> http://nap.cse.bgu.ac.il/home/index.php/Bluetooth_Sniffing
>
> This seems to be the best buy for your money:
>
> http://compare.ebay.com/like/150735473216?var=lv&ltyp=AllFixedPriceItemTypes&var=sbar
>
> $799.99 for the LeCroy Merlin CATC Mobile Bluetooth Protocol Analyzer
> seems like a deal. Even cheaper than the USRP!
>
> If you're looking for other devices for BT sniffing, I also found this:
> http://www.palowireless.com/bluearticles/bluetoothanalyzercompare1.asp
>
> And finally - the Ellisys equipment:
> http://www.ellisys.com/products/bex400/revolution.php
> "The new Ellisys All-Channel sniffer robustly records any packet, at any
> time, from any neighboring piconet, with zero-configuration and without
> being intrusive."
>
> http://www.ellisys.com/products/bex400/ has the best quote:
> "Determine PIN codes automatically and decrypt the data on the fly"
>
> Two nice photos of the device and software:
> http://www.ellisys.com/archive/images/bex400.png
> http://www.ellisys.com/archive/images/bex400_soft.png
>
> All the best,
> Jacob
>



-- 



Brian Conley

Director, Small World News

http://smallworldnews.tv

m: 646.285.2046

Skype: brianjoelconley

public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0

More information about the liberationtech mailing list