BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured pairing* exchanges.

To capture the pairing data it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR to know how to flash a CSR based consumer USB dongle with special firmware.

Example of an Attack scenario :

  • Attacker reconstructs BD_ADDR of both Master and Slave through passive (reconstructing through a preamble sniff, even when the device is in hidden mode) or active means (redfang)
  • Attacker changes his BD_ADDR to the one of the Slave device
  • Attacker asks to pair with the Master indicating it has no key, the Master will more then often trash the old pairing data and request a new link key from the genuine slave
  • Attacker now captures the key (pairing) exchange taking place between the two devices as the users try to re-establish a connection
  • Attacker exports data to CSV format and imports into BTCrack
  • Attacker can now compromise Master and Slave Bluetooth device through usage of the cracked Linkkey and is able to decrypt the data transmitted between the bluetooth devices

    Why the PIN is not so important
    An Attacker will focus on recovering the Linkkey and not the PIN, here's why :

  • The Link-key allows remote connections without the victim noticing
  • The Link-key allows and attacker to connect to devices in non-pairing mode and non discoverable mode
  • The Link-key allows decryption of the data

    History :
  • Olly Whitehouse - 2003
    Presented theoretic weaknesses in the implementation of the Pairing exchange
  • Shaked and Wool - 2005
    Present their logic to break pairing exchanges and implement it in Private
  • Thierry Zoller - 2006
    First public release of a complete optimized Implementation of the Shaked and Wool logic. Optimisation done by Erik Sesterhenn.
  • David Hulton / Thierry Zoller - 2007
    Worlds first FPGA based Implementation

    Screenshots :

    Speed Comparison :
  • P4 2Ghz - Dual Core 200.000 keys/sec
  • FPGA E12 @ 50Mhz 7.600.000 keys/sec
  • FPGA E12 @ 75Mhz 10.000.000 keys/sec
  • FPGA E14 30.000.000 keys/sec

    Known issues :
    [+] Frontline 6.0 mixes Master & Slave Addresses

    Changes :
    1.0 First release
    1.1 Intermediate Release
  • E12 + E14 FPGA Support (
  • Splash Screen
  • Process Priority
  • Speed increase (+15%)

    Downloads :
  • Download BTCrack
  • Heisec 2007 - Scheunentor Bluetooth
  • 23C3 - Bluetooth Hacking revisited - All your Bluetooth is belong to us

    Heisec 2007 Scheunentor Bluetooth Zoller


    Alberto said... @ 11 February, 2009 16:18

    Great news Thierry!


    Sn0rkY said... @ 11 February, 2009 21:34

    Good work ! One more good thing to buy E-14 card ;-)

    Anonymous said... @ 14 March, 2012 18:09

    ClamAV shows W32.Backdoor:Crypt.71e2b.vv when trying to download your .zip.

    Thierry Zoller said... @ 24 June, 2012 23:10

    I am afraid that is a false positive

    EAP-TTLS said... @ 11 December, 2012 12:34

    In the Wireless Ethernet Bridge Mode or Client mode, the device enables any wired Ethernet-ready device to connect to your existing wireless network. Connect your PC, notebook, printer, network camera, or even an entire wired network to the AP device via a Switch and establish a wireless connection to your wireless network. In repeater mode, you can add other AP devices to extend the wireless network without the need to run backbone cables.

    golyalpha said... @ 16 April, 2015 20:17

    Firefox is blocking the download, saying it's contains a virus or spyware.

    Post a Comment