No announcement yet.

Blue<Insert Adjective Here>: Exploiting Vulnerabilities in Mobile Bluetooth Stacks

  • Filter
  • Time
  • Show
Clear All
new posts

  • Blue<Insert Adjective Here>: Exploiting Vulnerabilities in Mobile Bluetooth Stacks

    Hey Everyone,

    Still waiting to hear if my topic will be selected this year at defcon (cross my fingers) but I wanted to see what others within the DeFCon forums thought and what they have heard or experienced with regard to bluetooth (in)security.

    With over 1 million Bluetooth-enabled devices shipping a week, Bluetooth has become widely adopted and accepted by consumers as well as touted as an industry standard by manufacturers. With countless implementations and uses for this protocol, the industry continues to press on with production, however naieve of the inherent vulnerabilities within the bluetooth stack itself. This presentation will take an in depth look into the origins of the bluetooth protocol and its evolution since its conception, including a technical overview of the protocol itself and possible vulnerabilities. It will finally include the release of a new Bluetooth Scanning Tool which will encompass real world examples and Proof-of-Concept demonstrations as well as pose questions designed to provoke thought and suggest new implementations of this growing technology.

    We will be relasing a bluetooth scanning tool made to run natively under any linux environment with BlueZ (bluetooth kernal module) installed. It will go beyond the existing information gathering bluetooth scanners and will be focused on identifying vulnerable cellular handsets and quickly exploiting them with the appropriate attack (RFCOMM, OBEX, etc.). There will be a graphical and a command line interface as well as periodic updates to the vulnerability database as new firmware is released by device manufacturers. This tool is a proof-of-concept utility designed to show how easily it is to grab vast amounts of information from a handset and even utilize data and voice services through a bluetooth link.

    Look forward to hearing from you all!

  • #2
    Bluetooth (in)security is just hilarious I think... I've been wanting to play with it and check it out (including your product on release)

    Does anyone have a good bluetooth USB adapter they can recommend that works good (in linux of course)?
    Anyone want to shout out a testimonial for myself and others intrested?
    From google i found this.. which looks promising, but anyone have one that they would recommend?
    The only constant in the universe is change itself


    • #3
      I picked up the 40 dollar kensington USB dongle from best buy last week and it works fine with linux and the hci_usb drivers. I've never tried it, but I hear the belkin dongle works well too. you can get a used one online:


      In response to the original poster, have you allready created such a tool? Are these really exploits or are you just pairing the devices and trying to download information from them? I don't know of any exploits on individual handsets, although most have a generic PIN.

      I mean, I can use my bluetooth dongle at home to put pictures on my phone and send data, but I have to pair both devices. Bluetooth doesn't exactly operate like Wifi, where it blatantly broadcasts itself within a wide range. I remember trying to share files using bluetooth between my cell phone and my brother's PDA, and it took about 10 minutes, because we both had to pair with eachother, enter the respective PINs and then finally we were able to share files.

      Give us more data on your tool, etc.
      Last edited by haydenth; June 24, 2004, 10:41.


      • #4
        I'd like to see what could happen in a crowded airport with an amplified bluetooth radio and a nice high gain, directional antenna. Phone number harvesting here I come.
        Speaking at DefCon 12: .


        • #5
          the only USB BT adapter we use is by FIC. we had a need for a XP native MS BT stack, MS suggested FIC, which at the time was only shipping adapters to those looking to WHQL BT devices. theres many out there now, but not sure how many will operate off of mini drivers... but i am XP centric in my shop.

          mini drivers work, feature rich monolithics can suck it

          lol, -goats
          If a chicken and a half, can lay an egg and a half, in a day and a half... how long would it take a monkey, with a wooden leg, to kick the seeds out of a dill pickle?


          • #6
            Check out THIS LINK to listen to a segment on Bluetooth (in)security on wireless tech radio. It should hopefully clear up most of the questions so far. Also here is our writeup from our proof of concept test (vulnerability scanning) at the infamous E3 gaming convention in Los Angeles, CA. Let me know what you guys think...

            E3 Bluetooth Usage Analysis


            -Dell Inspirion Laptop
            -USB Class 1 Bluetooth Adapter

            -Slackware Linux 9.1 (kernel 2.4.26)
            -BlueZ Linux Bluetooth protocol stack (bluez-libs-2.7, bluez-utils-2.7)
            -Custom Bluetooth Address analysis tool written by Kevin Mahaffey


            For approximately 90 minutes, all Bluetooth devices broadcasting their address within range (up to 100 m) were recorded by our software as we walked throughout all three halls and the main concourse of the Electronic Entertainment Expo. This is not a complete count of all Bluetooth devices in E3, but an analysis of the number of vulnerable devices a malicious individual could encounter in a densely populated environment.

            Device Identification:

            In order to identify specific phones based on their Bluetooth addresses, the initial three octets are referenced against a manufacturer database. Next, the remaining nodes are matched against production data provided by each manufacturer.
            Example Data:

            \ /
            \ /
            Sony Ericsson Mobile Communications AB
            Nya Vattentornet
            Lund SE 221 88


            The rest identifies the specific device, and, if needed, a specific model number. It is not generally a good practice to identify devices based on their broadcast name because an end user can easily change the device name to that of his or her choosing (e.g. “BluePhone”).

            When the entire dataset is run through our analysis tool, we can determine the relative distributions of Bluetooth devices. Non mobile-phone devices such as PDAs and Bluetooth-enabled laptop computers are not counted in the final dataset.

            Collected Data:

            Over 700 BlueTooth enabled phones were detected within only 90 minutes and nearly %20 being vulnerable to some form of exploit or another. The majority of the phones were Nokia, SonyEricsson, and Siemens and surprisingly most were in discoverable mode. This may have been due to the nature of the industry professionals and contact sharing features utilized while at E3.

            Possible Attacks:

            Once a phone is positively identified by its Bluetooth address, there are several vulnerability databases available on the Internet which may be used to determine exactly what attack a given phone is susceptible to. From here, a malicious user may decide to exploit the OBEX stack in the target phone with a SNARF attack or gain direct serial access to the device via a BLUEBUG attack. With the latter, virtually anything can be done to the target device remotely that could be done by the owner of the device. With a backdoor attack, a malicious user can gain access to the phone’s network resources such as internet access, etc.

            Technical Rammifications:
            Full AT access to phone
            Full filesystem access to phone
            Full access to phone’s TCP/IP network

            Social Rammifications:
            Make toll calls
            Change any/all phonebook entries to a record&forward number to monitor conversations
            Hack/Send spam e-mail from a target’s phone
            Having someone’s phonebook would allow an attacker to namedrop and socially engineer the target to disclose sensitive information.
            Turn phone into a surveillance device by dialing a phone number of the attacker’s choice without intervention on the target’s part
            Listen to the target’s voicemail
            Read or send text messages to or from the target, respectively
            All of the above can be automated and done in as little as a few seconds by simply walking by an attacker.

            Suspicious Behavior:

            Currently exploits are only working on laptops running special software; however, it would be trivial for an expert to port these tools to a PDA or even a malicious cell phone.

            Possible Risk Situations:
            Someone on a laptop within close proximity running a linux shell
            Someone within close proximity using a laptop with a usb Bluetooth dongle sticking out
            Someone up to 1000 ft away with a large antenna
            Someone on a PDA within close proximity
            In a crowd, especially one with a recognizable technology connection (Conventions such as E3, Comdex, DefCon, CEBit, etc.).
            On a subway with many people using mobile devices

            In our research, we found that charter busses tend to have a large amount of Bluetooth mobile devices onboard, a phenomenon that provides a perfect situation for an attacker seeking to maintain close proximity to a target without garnering suspicion.


            All of the major cell phone vendors have been contacted regarding this problem. Please contact them with questions and concerns regarding updates to your mobile phone.

            Right now, the best solution is to turn Bluetooth OFF when it is not necessary.
            When it is necessary, it is much more difficult to find a phone when it is switched into non-discoverable mode.



            • #7
              good bluetooth link

              BlueZ site


              Tons of links on getting blue tootk working.

              and a great BT sniffing page. With a easy hardware hack to add an external antenna.


              Did this hack myself on a Dlink brand USB BT adapter. hard to get the brand they use in the US.



              • #8
                feedback from defcon

                Hi all,
                I was wondering if anyone was able to attend the BT panel mentioned in this thread and if microfly et al released their software.
                Are there any links yet to their presentation or software?
                I have been playing around with BT for some months now and am interested in trying out their all in one tool (it's a pain to do everything one step at a time, scan, find obex channel or open rfcomm, obexftp etc, etc.). I'm curious as to how they identify the make and model of scanned phones (SDP hash?).
                Any info or new links appreciated.