[Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[David Mackie]

Hi,

Does anyone know if you are able to spoof or forge a Bluetooth Device
Address? I am wanting to pick up Bluetooth comms at one point and forward it
on to another device but I am wanting the repeating devices to act like the
original sending devices. Eg. If I have a phone that wants to communicate
with my PC, I can have 2 repeaters, one spoofed as the PC and one as the
phone.

phone <-BT-> Repeater(spoof PC) <-Not BT-> Repeater(spoof phone) <-BT-> PC

More information on why I want to do this can be found at
http://www.cs.ru.ac.za/research/students/g99m0302/masters/

Any comment of suggestions will be greatly appreciated

David



-- 
 David Mackie
 MSc Student, Department of Computer Science
 Rhodes University, Grahamstown, South Africa
 Email: d.mackie@ru.ac.za 
 Web: http://www.cs.ru.ac.za/research/students/g99m0302/


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Collin R. Mulliner]

Hi,

> Does anyone know if you are able to spoof or forge a Bluetooth Device
> Address? I am wanting to pick up Bluetooth comms at one point and

As far as I know you can't do this with standart (normal) bluetooth
equipment. Maybe you can do this with special bluetooth devices, check
out the CSR development information.


... Collin

-- 
Collin R. Mulliner <collin@betaversion.net>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin@betaversion.net
According to my calculations the problem doesn't exist.


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Marcel Holtmann]

Hi David,

> Does anyone know if you are able to spoof or forge a Bluetooth Device
> Address? I am wanting to pick up Bluetooth comms at one point and forward it
> on to another device but I am wanting the repeating devices to act like the
> original sending devices. Eg. If I have a phone that wants to communicate
> with my PC, I can have 2 repeaters, one spoofed as the PC and one as the
> phone.
> 
> phone <-BT-> Repeater(spoof PC) <-Not BT-> Repeater(spoof phone) <-BT-> PC
> 
> More information on why I want to do this can be found at
> http://www.cs.ru.ac.za/research/students/g99m0302/masters/
> 
> Any comment of suggestions will be greatly appreciated

I made a quick look through your documents. Spoofing of a BD_ADDR's is
not what you really want and of course it is also not possible. You
should think more of service forwarding. This means tunneling of the
complete L2CAP layer or dedicated SDP service records/RFCOMM channel
tunneling.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

RE: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[EXT-Somil.Asthana]

Hi Marcel,=20
  Why not use PAN profile instead of RFCOMM. We create an IP =
infrastructure (using Ethernet Bridging) route (or broadcast) packets =
between devices. If some BTH devices donot support PAN profile we can =
make devices attached to them as proxies. The adv of using PAN profile =
is that it can easily attached to IP back bone and this proj requires =
that (although it can result in some addressing issues). I am not sure =
if this is what David wants but you are correct there is no need to =
spoof addresses  or try getting the raw BTH packets etc.

regards
Somil
-----Original Message-----
From: bluez-users-admin@lists.sourceforge.net
[mailto:bluez-users-admin@lists.sourceforge.net]On Behalf Of ext Marcel
Holtmann
Sent: Sunday, June 06, 2004 5:11 PM
To: David Mackie
Cc: BlueZ Mailing List
Subject: Re: [Bluez-users] Can you spoof/forge Bluetooth
Devices/Address?


Hi David,

> Does anyone know if you are able to spoof or forge a Bluetooth Device
> Address? I am wanting to pick up Bluetooth comms at one point and =
forward it
> on to another device but I am wanting the repeating devices to act =
like the
> original sending devices. Eg. If I have a phone that wants to =
communicate
> with my PC, I can have 2 repeaters, one spoofed as the PC and one as =
the
> phone.
>=20
> phone <-BT-> Repeater(spoof PC) <-Not BT-> Repeater(spoof phone) =
<-BT-> PC
>=20
> More information on why I want to do this can be found at
> http://www.cs.ru.ac.za/research/students/g99m0302/masters/
>=20
> Any comment of suggestions will be greatly appreciated

I made a quick look through your documents. Spoofing of a BD_ADDR's is
not what you really want and of course it is also not possible. You
should think more of service forwarding. This means tunneling of the
complete L2CAP layer or dedicated SDP service records/RFCOMM channel
tunneling.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

RE: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Marcel Holtmann]

Hi Somil,

>   Why not use PAN profile instead of RFCOMM. We create an IP infrastructure (using Ethernet Bridging) route (or broadcast) packets between devices. If some BTH devices donot support PAN profile we can make devices attached to them as proxies. The adv of using PAN profile is that it can easily attached to IP back bone and this proj requires that (although it can result in some addressing issues). I am not sure if this is what David wants but you are correct there is no need to spoof addresses  or try getting the raw BTH packets etc.

I haven't read his documents in detail, but as I understand it he want's
to connect from a PC in one piconet to a mobile phone in another
piconet. These piconets are connected through an IP backbone and not via
a scatternet. So he must make the SPD records of the phone visible in
both piconets and if needed route a L2CAP or RFCOMM connection between
them. However it is his master thesis and not mine.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

RE: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[EXT-Somil.Asthana]

Hi Marcel=20
  This is getting interesting looks like I am completing my Masters =
thesis & you are mentoring (or vice versa).=20
 You don't need a scatterent to connect two piconet. Two piconets =
(basically piconet devices) can be connected via an ethernet wire or =
WLAN AP. I have done that its not magic. After connecting we can create =
an IP infrastructure make every device IP addressable (that is where I =
said there can be some IP addressing problem and I am trying to solve & =
publish it anyway its no concern here). Now the question comes sending =
SDP records - to know what kind of service each piconet device provides =
etc ?? If we have an IP infrastructure then why nt use UPnP protocol we =
don't need BTH SDP protocol (I guess UPnP protocol provides more =
flexibility than SDP (I am nt an expert in UPnP)). But if you still want =
BTH SDP then send SDP records in IP packets (not good). (Make IP =
connections between devices to transfer data etc no need to make RFCOMM =
connections run thousands of legacy IP applications without modifying a =
single line of code, I am nt able to understand why people are pushing =
for RFCOMM etc but nt what we are discussing here).=20

regards
Somil
-----Original Message-----
From: bluez-users-admin@lists.sourceforge.net
[mailto:bluez-users-admin@lists.sourceforge.net]On Behalf Of ext Marcel
Holtmann
Sent: Sunday, June 06, 2004 7:56 PM
To: Asthana Somil (EXT-Nokia-NRC/Boston)
Cc: d.mackie@ru.ac.za; BlueZ Mailing List
Subject: RE: [Bluez-users] Can you spoof/forge Bluetooth
Devices/Address?


Hi Somil,

>   Why not use PAN profile instead of RFCOMM. We create an IP =
infrastructure (using Ethernet Bridging) route (or broadcast) packets =
between devices. If some BTH devices donot support PAN profile we can =
make devices attached to them as proxies. The adv of using PAN profile =
is that it can easily attached to IP back bone and this proj requires =
that (although it can result in some addressing issues). I am not sure =
if this is what David wants but you are correct there is no need to =
spoof addresses  or try getting the raw BTH packets etc.

I haven't read his documents in detail, but as I understand it he want's
to connect from a PC in one piconet to a mobile phone in another
piconet. These piconets are connected through an IP backbone and not via
a scatternet. So he must make the SPD records of the phone visible in
both piconets and if needed route a L2CAP or RFCOMM connection between
them. However it is his master thesis and not mine.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Michael Schmidt]

Hi David,

> Does anyone know if you are able to spoof or forge a Bluetooth Device
> Address? I am wanting to pick up Bluetooth comms at one point and forward it
> on to another device but I am wanting the repeating devices to act like the
> original sending devices. Eg. If I have a phone that wants to communicate
> with my PC, I can have 2 repeaters, one spoofed as the PC and one as the
> phone.
> 
> phone <-BT-> Repeater(spoof PC) <-Not BT-> Repeater(spoof phone) <-BT-> PC

It is possible to change the BD_ADDR of certain BT devices. This 
requires the use of "undocumented", vendor-proprietary commands. In the 
source code of the Axis 'OpenBT' Bluetooth stack you can find how to do 
this for certain Ericsson and CSR-based devices.

However, you need to perform a full reset of the device in order to make 
the change effective. Also, a device (at least the ones that I know) can 
only have one address at a time. In other words, the BD_ADDR cannot be 
changed on a per-packet basis.

This is probably not want you want.


Cheers,

Michael

-- 
=================================================
Michael Schmidt
-------------------------------------------------
Institute for Data Communications Systems
University of Siegen, Germany
-------------------------------------------------
http:   www.nue.et-inf.uni-siegen.de/~schmidt/
e-mail: schmidt@nue.et-inf.uni-siegen.de
mobile: +49 179 7810214
=================================================


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

RE: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Marcel Holtmann]

Hi Somil,

>   This is getting interesting looks like I am completing my Masters thesi=
s & you are mentoring (or vice versa).=20
>  You don't need a scatterent to connect two piconet. Two piconets (basica=
lly piconet devices) can be connected via an ethernet wire or WLAN AP. I ha=
ve done that its not magic. After connecting we can create an IP infrastruc=
ture make every device IP addressable (that is where I said there can be so=
me IP addressing problem and I am trying to solve & publish it anyway its n=
o concern here). Now the question comes sending SDP records - to know what =
kind of service each piconet device provides etc ?? If we have an IP infras=
tructure then why nt use UPnP protocol we don't need BTH SDP protocol (I gu=
ess UPnP protocol provides more flexibility than SDP (I am nt an expert in =
UPnP)). But if you still want BTH SDP then send SDP records in IP packets (=
not good). (Make IP connections between devices to transfer data etc no nee=
d to make RFCOMM connections run thousands of legacy IP applications withou=
t modifying a single line of code, I am nt able to understand why people ar=
e pushing for RFCOMM etc but nt what we are discussing here).=20

actually I don't think the point here is building the scatternet or
using IP to extend it. We already know that if we use PAN this is
working perfect and with Linux bridging, VLAN and NAT it is possible to
create this in an easy way. I've done this before without Bluetooth so
am not really interested in this way, because it is the same and nothing
really new.

However David mentioned he wants to talk to a phone and right now I
haven't seen any phone with PAN or UPnP. To support legacy devices you
need a distributed SDP database (you must keep it up-to-date) and use
somekind of tunneling for the RFCOMM channels. The RFCOMM tunnel is very
easy to achieve. It is a simple mapping from a TCP stream to a RFCOMM
stream. You can also map it to different channel numbers on each side.
The real problem here is the SDP database. Think about it.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Xavier Garreau]

> Does anyone know if you are able to spoof or forge a Bluetooth Device
> Address? I am wanting to pick up Bluetooth comms at one point and
> forward it on to another device but I am wanting the repeating
> devices to act like the original sending devices. Eg. If I have a
> phone that wants to communicate with my PC, I can have 2 repeaters,
> one spoofed as the PC and one as the phone.
>
> phone <-BT-> Repeater(spoof PC) <-Not BT-> Repeater(spoof phone)
> <-BT-> PC

As far as i know you can change the BD Address of a CSR BT chip by using CSR
vendor specific commands. At least, you can use an application they've made
to achieve this.

Hope it helps ...
-- 
Xavier Garreau <x.garreau@prim-time.fr>
Prim'Time Technology
http://www.prim-time.fr/



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Marcel Holtmann]

Hi Xavier,

> > Does anyone know if you are able to spoof or forge a Bluetooth Device
> > Address? I am wanting to pick up Bluetooth comms at one point and
> > forward it on to another device but I am wanting the repeating
> > devices to act like the original sending devices. Eg. If I have a
> > phone that wants to communicate with my PC, I can have 2 repeaters,
> > one spoofed as the PC and one as the phone.
> >
> > phone <-BT-> Repeater(spoof PC) <-Not BT-> Repeater(spoof phone)
> > <-BT-> PC
> 
> As far as i know you can change the BD Address of a CSR BT chip by using CSR
> vendor specific commands. At least, you can use an application they've made
> to achieve this.

you can change the BD_ADDR of almost every Bluetooth dongle, but as
Michael correctly pointed out, you must reset the dongle after it. So
changing the address on the fly is not possible.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[David Mackie]

On Mon 2004-06-07 (10:11), Marcel Holtmann wrote:
>
> However David mentioned he wants to talk to a phone and right now I
> haven't seen any phone with PAN or UPnP. To support legacy devices you
> need a distributed SDP database (you must keep it up-to-date) and use
> somekind of tunneling for the RFCOMM channels. The RFCOMM tunnel is very
> easy to achieve. It is a simple mapping from a TCP stream to a RFCOMM
> stream. You can also map it to different channel numbers on each side.
> The real problem here is the SDP database. Think about it.
> 

Hi,

You are right in that we are wanting this to work with legacy devices, and
therefore there can be no modification to the phone's bluetooth stack. For
all intesnts and purposes the phone must think it communicating with the PC,
or the applications on the phone at least. I had thought that intial device
discovery would be the first and hardest problem to get around. Or am I
missing somthing in SDP? How to get a phone to talk to a repeater intailly
is the problem I think I will have. And that was why I was hopping to spoof
the PC by the repeater. Thanks for help and suggestions so far.

-dave


-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

RE: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[EXT-Somil.Asthana]

Hi Marcel=20
  Looks like I am in minority here :(. Actually you are very correct =
there aren't any phone with PAN or UPnP (its in one of our TODO list). =
Further, Symbian 8.0 release will have a PAN stack anyway (it will be =
interesting to interface with Bluez PAN  stack, as there are some =
issues). So for the time being you can look for solutions like =
Distributed SDP database, tunneling for the RFCOMM channels. They look =
every exciting but requires lot of debugging/testing  based on my =
experience on developing/debugging l2cap broadcast utility (using Bluez =
util code) and I didn't do anything novel there. As far as I see =
maintaining /updating Distributed SDP database is no different from =
cache coherence problem (but I am nt expert so I shouldn't really say =
that but I thought about it :)).

regards
Somil

 =20

-----Original Message-----
From: ext Marcel Holtmann [mailto:marcel@holtmann.org]
Sent: Monday, June 07, 2004 4:11 AM
To: Asthana Somil (EXT-Nokia-NRC/Boston)
Cc: d.mackie@ru.ac.za; BlueZ Mailing List
Subject: RE: [Bluez-users] Can you spoof/forge Bluetooth
Devices/Address?


Hi Somil,

>   This is getting interesting looks like I am completing my Masters =
thesis & you are mentoring (or vice versa).=20
>  You don't need a scatterent to connect two piconet. Two piconets =
(basically piconet devices) can be connected via an ethernet wire or =
WLAN AP. I have done that its not magic. After connecting we can create =
an IP infrastructure make every device IP addressable (that is where I =
said there can be some IP addressing problem and I am trying to solve & =
publish it anyway its no concern here). Now the question comes sending =
SDP records - to know what kind of service each piconet device provides =
etc ?? If we have an IP infrastructure then why nt use UPnP protocol we =
don't need BTH SDP protocol (I guess UPnP protocol provides more =
flexibility than SDP (I am nt an expert in UPnP)). But if you still want =
BTH SDP then send SDP records in IP packets (not good). (Make IP =
connections between devices to transfer data etc no need to make RFCOMM =
connections run thousands of legacy IP applications without modifying a =
single line of code, I am nt able to understand why people are pushing =
for RFCOMM etc but nt what we are discussing here).=20

actually I don't think the point here is building the scatternet or
using IP to extend it. We already know that if we use PAN this is
working perfect and with Linux bridging, VLAN and NAT it is possible to
create this in an easy way. I've done this before without Bluetooth so
am not really interested in this way, because it is the same and nothing
really new.

However David mentioned he wants to talk to a phone and right now I
haven't seen any phone with PAN or UPnP. To support legacy devices you
need a distributed SDP database (you must keep it up-to-date) and use
somekind of tunneling for the RFCOMM channels. The RFCOMM tunnel is very
easy to achieve. It is a simple mapping from a TCP stream to a RFCOMM
stream. You can also map it to different channel numbers on each side.
The real problem here is the SDP database. Think about it.

Regards

Marcel

RE: [Bluez-users] Can you spoof/forge Bluetooth Devices/Address?

[Marcel Holtmann]

Hi Somil,

>   Looks like I am in minority here :(. Actually you are very correct there aren't any phone with PAN or UPnP (its in one of our TODO list). Further, Symbian 8.0 release will have a PAN stack anyway (it will be interesting to interface with Bluez PAN  stack, as there are some issues). So for the time being you can look for solutions like Distributed SDP database, tunneling for the RFCOMM channels. They look every exciting but requires lot of debugging/testing  based on my experience on developing/debugging l2cap broadcast utility (using Bluez util code) and I didn't do anything novel there. As far as I see maintaining /updating Distributed SDP database is no different from cache coherence problem (but I am nt expert so I shouldn't really say that but I thought about it :)).

if you think that there are BlueZ PAN vs. Symbian PAN problems, feel
free to send me a PAN enabled phone and I will check what happens on our
side. Maybe the BlueZ code is buggy. I hope not, but it may be possible.

The idea with distributed SDP and a L2CAP/RFCOMM tunnel is very old. I
know that this works, because I already used it to reverse engineer the
FBus over Bluetooth part of the Nokia Data Suite that way. I didn't used
IP as tunnel between the two piconet, because BlueZ is able to work with
more than one dongle (or expensive PCMCIA cards in my case) attached to
the same host. Some easy tricks if you can't buy yourself a protocol
analyzer ;)

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users