Bluetooth (in)security is just hilarious I think... I've been wanting to play with it and check it out (including your product on release)

Does anyone have a good bluetooth USB adapter they can recommend that works good (in linux of course)?
Anyone want to shout out a testimonial for myself and others intrested?
From google i found this.. which looks promising, but anyone have one that they would recommend?
http://www.holtmann.org/linux/bluetooth/devices.html
and
http://www.activemobiles.com/bluetooth_dongle.htm

I picked up the 40 dollar kensington USB dongle from best buy last week and it works fine with linux and the hci_usb drivers. I've never tried it, but I hear the belkin dongle works well too. you can get a used one online:

at belkin.com

In response to the original poster, have you allready created such a tool? Are these really exploits or are you just pairing the devices and trying to download information from them? I don't know of any exploits on individual handsets, although most have a generic PIN.

I mean, I can use my bluetooth dongle at home to put pictures on my phone and send data, but I have to pair both devices. Bluetooth doesn't exactly operate like Wifi, where it blatantly broadcasts itself within a wide range. I remember trying to share files using bluetooth between my cell phone and my brother's PDA, and it took about 10 minutes, because we both had to pair with eachother, enter the respective PINs and then finally we were able to share files.

Give us more data on your tool, etc.

I'd like to see what could happen in a crowded airport with an amplified bluetooth radio and a nice high gain, directional antenna. Phone number harvesting here I come.

the only USB BT adapter we use is by FIC. we had a need for a XP native MS BT stack, MS suggested FIC, which at the time was only shipping adapters to those looking to WHQL BT devices. theres many out there now, but not sure how many will operate off of mini drivers... but i am XP centric in my shop.

mini drivers work, feature rich monolithics can suck it

lol, -goats

Check out THIS LINK to listen to a segment on Bluetooth (in)security on wireless tech radio. It should hopefully clear up most of the questions so far. Also here is our writeup from our proof of concept test (vulnerability scanning) at the infamous E3 gaming convention in Los Angeles, CA. Let me know what you guys think...


E3 Bluetooth Usage Analysis

Equipment:

Hardware:
-Dell Inspirion Laptop
-USB Class 1 Bluetooth Adapter

Software:
-Slackware Linux 9.1 (kernel 2.4.26)
-BlueZ Linux Bluetooth protocol stack (bluez-libs-2.7, bluez-utils-2.7)
-Custom Bluetooth Address analysis tool written by Kevin Mahaffey

Procedure:

For approximately 90 minutes, all Bluetooth devices broadcasting their address within range (up to 100 m) were recorded by our software as we walked throughout all three halls and the main concourse of the Electronic Entertainment Expo. This is not a complete count of all Bluetooth devices in E3, but an analysis of the number of vulnerable devices a malicious individual could encounter in a densely populated environment.

Device Identification:

In order to identify specific phones based on their Bluetooth addresses, the initial three octets are referenced against a manufacturer database. Next, the remaining nodes are matched against production data provided by each manufacturer.
Example Data:

00:0A:B9:ED:7A:01
\ /
00:0A:B9
\ /
Sony Ericsson Mobile Communications AB
Nya Vattentornet
Lund SE 221 88
SWEDEN

Source: http://standards.ieee.org/regauth/oui/oui.txt


The rest identifies the specific device, and, if needed, a specific model number. It is not generally a good practice to identify devices based on their broadcast name because an end user can easily change the device name to that of his or her choosing (e.g. “BluePhone”).

When the entire dataset is run through our analysis tool, we can determine the relative distributions of Bluetooth devices. Non mobile-phone devices such as PDAs and Bluetooth-enabled laptop computers are not counted in the final dataset.

Collected Data:

Over 700 BlueTooth enabled phones were detected within only 90 minutes and nearly %20 being vulnerable to some form of exploit or another. The majority of the phones were Nokia, SonyEricsson, and Siemens and surprisingly most were in discoverable mode. This may have been due to the nature of the industry professionals and contact sharing features utilized while at E3.

Possible Attacks:

Once a phone is positively identified by its Bluetooth address, there are several vulnerability databases available on the Internet which may be used to determine exactly what attack a given phone is susceptible to. From here, a malicious user may decide to exploit the OBEX stack in the target phone with a SNARF attack or gain direct serial access to the device via a BLUEBUG attack. With the latter, virtually anything can be done to the target device remotely that could be done by the owner of the device. With a backdoor attack, a malicious user can gain access to the phone’s network resources such as internet access, etc.

Technical Rammifications:
Full AT access to phone
Full filesystem access to phone
Full access to phone’s TCP/IP network


Social Rammifications:
Make toll calls
Change any/all phonebook entries to a record&forward number to monitor conversations
Hack/Send spam e-mail from a target’s phone
Having someone’s phonebook would allow an attacker to namedrop and socially engineer the target to disclose sensitive information.
Turn phone into a surveillance device by dialing a phone number of the attacker’s choice without intervention on the target’s part
Listen to the target’s voicemail
Read or send text messages to or from the target, respectively
All of the above can be automated and done in as little as a few seconds by simply walking by an attacker.

Suspicious Behavior:

Currently exploits are only working on laptops running special software; however, it would be trivial for an expert to port these tools to a PDA or even a malicious cell phone.

Possible Risk Situations:
Someone on a laptop within close proximity running a linux shell
Someone within close proximity using a laptop with a usb Bluetooth dongle sticking out
Someone up to 1000 ft away with a large antenna
Someone on a PDA within close proximity
In a crowd, especially one with a recognizable technology connection (Conventions such as E3, Comdex, DefCon, CEBit, etc.).
On a subway with many people using mobile devices

In our research, we found that charter busses tend to have a large amount of Bluetooth mobile devices onboard, a phenomenon that provides a perfect situation for an attacker seeking to maintain close proximity to a target without garnering suspicion.

Solutions:

All of the major cell phone vendors have been contacted regarding this problem. Please contact them with questions and concerns regarding updates to your mobile phone.

Right now, the best solution is to turn Bluetooth OFF when it is not necessary.
When it is necessary, it is much more difficult to find a phone when it is switched into non-discoverable mode.


:D

good bluetooth link

BlueZ site

http://www.bluez.org/

Tons of links on getting blue tootk working.

and a great BT sniffing page. With a easy hardware hack to add an external antenna.

http://www.pentest.co.uk

Did this hack myself on a Dlink brand USB BT adapter. hard to get the brand they use in the US.

-Defigo

feedback from defcon

Hi all,
I was wondering if anyone was able to attend the BT panel mentioned in this thread and if microfly et al released their software.
Are there any links yet to their presentation or software?
I have been playing around with BT for some months now and am interested in trying out their all in one tool (it's a pain to do everything one step at a time, scan, find obex channel or open rfcomm, obexftp etc, etc.). I'm curious as to how they identify the make and model of scanned phones (SDP hash?).
Any info or new links appreciated.