Re: [Bluez-devel] Project about Bluetooth Security: Request for assistance

[Marcel Holtmann <marcel@holtmann.org>]

Hi Khoo,

> I have some questions about bluetooth security. 

I normally take money for these kind of answers ;)
 
> I am currently doing a project on bluetooth security and am required
> to develop some software (with bluetooth hardware) which can
> demonstrate bluetooth security weaknesses. 
>  
> Following are my ideas, please comment
>  
> 1. I have a silicon wave Bluetooth USB dongle and a V3 headset, and a
> Nokia 6600 smartphone. I desire to capture packets sent between the
> phone and the headset, without a bluetooth protocol analyser (eg from
> mobiwave), so that I can demostrate that a hacker can listen in to
> unencrypted voice traffic. Is this possible at all?

This is not possible. You need a protocol analyzer.
 
> hcidump is similar to a protocol analyser, but it can capture only
> high level traffic. My guess is that I can use hcitool scan to get the
> bluetooth address of the phone and the headset first, and then based
> on the addresses attempt to calculate the pseudo random frequency
> hopping sequence, so that I can stay in the same frequency as the
> phone and the headset. Problem is i don't understand the output of
> hcidump. Can hcidump capture traffic which does not belong to the host
> device? 

Even if hcidump would be able to do this, there is no normal Bluetooth
dongle available that can be a passive member of a piconet.
 
> 2. May I know the steps required to reproduce the work done by Adam
> Laurie (bluesnarfing) or the Flexilis team(bluesniper)? Will the test
> programs provided by the install of BlueZ be good as starting points?
> If so, which test program should I focus on? Please provide details if
> possible. This is purely for academic purposes. 

The bluesniper is hardware stuff. You simply change the antenna of your
Bluetooth dongle. For bluesnarfing and bluebugging, this can be done
with normal utils from the BlueZ distribution or CVS. Take a look at the
21C3 slides or my Portoroz presentation. There will be another one at
the FFG 2005 in Munich at the end of February.
 
> 3. For the program l2ping.c, what is the end result of the victim
> phone of running the program? Does it cause the phone to malfunction? 
>  
> I ran it and pinged my Sony Ericsson T630. Later my phone could not
> initiate a bluetooth connection with my headset. Otherwise everything
> else is fine. 

I haven't seen any phone vulnerable to the l2ping attack so far.

Regards

Marcel




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel