My call for an OSS Bluetooth sniffer during the last 23C3 in Berlin has not been unanswered, first there was Max Moser ("Bluetooth - Getting raw access") that uncovered how you can modify a consumer USB stick by flashing it with a commercial BTSniffer firmware (there was at least one vendor that included the firmware with every trial download) and get RAW access to it.

The question that was left was how to send commands to it, get it into sniffing mode, synching it to the other devices. Exactly this is what Andrea Bittau and Dominic Spill found out during his work on a Paper entitles "BlueSniff: Eve meets Alice and Bluetooth", he further implemented it in C code. The paper will be shortly be published and presented at this years' USENIX.

In other words a Bluetooth Hacker dream has partially come true, a cheap and (partialy) open way to sniff and capture packets, including the Pariring-handshake which may than be cracked.

Andrea is currently working on cracking open the very last thing that holds him from crafting low level Bluetooth packets, the XAP2 processor, he dissassembled the firmware to find out how exactly it works, for that he wrote his own dissassembler. After this he/we may write our own firmware and basicaly do whatever we like, for example a full blown fuzzer or full blown attack device.

Other very interesting findings will be uncovered, more on this later :)



Post a Comment