This is kind of old news and present it here for the archives, a German TV Channel "SAT 1" did a documentary with me on Bluetooth security. I am not happy about the outcome, they had around 6 hours of footage, 5 minutes were used, and only the non challenging information was shown. The real stuff (MiTM, Key recovery) has not even been indirectly refered to.

For those that understand German here is the archived footage :

Planetopia - Bluetooth from Thierry Zoller on Vimeo.

My call for an OSS Bluetooth sniffer during the last 23C3 in Berlin has not been unanswered, first there was Max Moser ("Bluetooth - Getting raw access") that uncovered how you can modify a consumer USB stick by flashing it with a commercial BTSniffer firmware (there was at least one vendor that included the firmware with every trial download) and get RAW access to it.

The question that was left was how to send commands to it, get it into sniffing mode, synching it to the other devices. Exactly this is what Andrea Bittau and Dominic Spill found out during his work on a Paper entitles "BlueSniff: Eve meets Alice and Bluetooth", he further implemented it in C code. The paper will be shortly be published and presented at this years' USENIX.

In other words a Bluetooth Hacker dream has partially come true, a cheap and (partialy) open way to sniff and capture packets, including the Pariring-handshake which may than be cracked.

Andrea is currently working on cracking open the very last thing that holds him from crafting low level Bluetooth packets, the XAP2 processor, he dissassembled the firmware to find out how exactly it works, for that he wrote his own dissassembler. After this he/we may write our own firmware and basicaly do whatever we like, for example a full blown fuzzer or full blown attack device.

Other very interesting findings will be uncovered, more on this later :)


BTCrack 1.1 is ready! I named it BTCrack Heisec release, because I released it during the Security Conference of Heisec

BTcrack is a pairing handshake cracker against Bluetooth 1.0 - 2.0 for more information please resort to the Paper by Shaked and Wool and the website listed at the end of this E-mail.

In cooperation with PicoComputing ( we added FPGA support to BTCrack 1.1 and increased the Software speed by 15% reaching 200.00 keys per second on a stock P4-Dual Core 2.0ghz

Version 1.1 :
[+] Added Priority Control
[*] Fixed splash bug
[+] Added FPGA Support
[+] Speed increase (15%)

Keys per second - CPU
200.000 keys/sec DualCore P4 2 GHZ
7.600.000 keys/sec E12 @ 50mhz (Pico FPGA)
10.000.000 keys/sec E12 @ 75mhz (Pico FPGA)
30.000.000 keys/sec E16 (Pico FPGA)

Download BTCrack 1.1

I rarely comment on political issues within this blog, now I do. Overall in Europe politians seem to be jumping the bandwagon as to loosing privacy rights and surveillance laws.

The scapegoat here is "Islamic Terror", especially in Germany it is being blamed for pretty much everything. I call Bullshit.

Check the inpendendant report of "EU TERRORISM SITUATION AND TREND REPORT 2007" by nobody else than Europol.

I repeat: "Islamic Terror is the number one threat to Europe" is the chanson of lots of politicians, now check this :

My question is this, how comes a politician can make such claims without being held accountable, when there is clear evidence that he is simply pushing an agenda and doesn't care about reality ? Not too mention these other "Terrorist" groups always existed, always were there. One thing is clear to me, if we don't get off our lame asses and start to do something we soon will be no better than the US.

BTCrack 0.9a is going ahead nice, optimisations have been done and the final release will be on the Nruns website as promised very soon™ :)

BTCrack 0.9a now spawns 8 threads in order to crack the keys, and this implies that dual-core or quad-core processors are working out very nicely :) A few assembler optimisations are still ahead and the final release should be ready for 23c3.

The general assumption that the attack is theroreticaly possible and that Pins of 6 digits represent a good protection is now pratcticaly refuted.

Here are my current stats on a Dual-Core P4 2Ghz (48000 pins per second)

Pin Time required (seconds)

  • 1234 - 0,25 seconds
  • 12345 - 1,59 seconds
  • 654321 - 16,171 seconds
  • 123456789 - 4851,156 seconds (1,3 hours)

  • It has been quite some time since I updated this blog, I will try to update the blog in the next weeks, with a few details what I was up to during the last months.

    Let's start with the more important stuff, I got into AV Research again =) The output of which will hit the public in the next months, be warned there will be a flood of advisories :D

    Together with Sergio Alvarez I gave a talk @ 2007. This year we explained what the heck is up with Anti-Virus software. We revisited the way AV solutions are implemented in current Company networks and AV Engines themselves. Defense in Depth is being misinterpreted and incorrectly implemented with disatrous effects. Customers (end-users of AV Software) believe they do DiD when in reality they do not, this is an important fact to keep in mind.

    Rough Break-down of the Talk :

  • DiD as implemented for Anti Virus Software is broken, companies put one AV engine after the other believing it to be DiD. The worst security incident in such an architecture is being incorrectly defined as "A virus passes the gateway unrecognized" , in reality the worst possible failure is that the underlying Operation System is compromised through the AV Engine, you have to mitigate this.
  • AV Software is broken behond recognition, they parse enormous amounts of Data in unmanaged programming languanges and such are naturaly prone to errors. This was clear from the start, but the shear amount of bugs is someting else.The reality shows they all are.
  • AV Software runs directly on critical (with high privileged rights) infrastructure, AV Software runs everywhere
  • E-mail changes what is at stake: What happens if I sent an exploit targeting AV software as an attachment in an E-mail ? (You can automatically compromise Corporate Mail Servers/Clients/Gateways, from the outside as your email travels through your firewalls untouched. You can view the presentation here, might be interesting to you, I don't think everybody is aware of the impact some findings may have: The Death of AV-Defense in Depth?

  • A friend and colleague of mine, namely Alexios Fakos has published a Book under the title of Sichere Web Anwendungen, unfortunately it is german only. If you'd like to know how to code hardened Applications I heartly recommend this Book.

    A free Chapter of the Book can be found here