Bluetooth Auditing

Published: 2005-10-01. Last Updated: 2005-10-02 00:01:44 UTC
by Kevin Liston (Version: 1)
0 comment(s)
I had promised more details on how I conducted my bluetooth audit during a disaster drill (http://isc.sans.org/diary.php?date=2005-06-20) when I was handler last, I was also working some local response to Katrina (http://isc.sans.org/diary.php?date=2005-09-05) and didn't have the spare mental cycles to provide an update.  Today has allowed me a few moments to play a bit, and fulfill my promises.

The platform
I used what I call my "combat laptop," or the "throwaway laptop."  This is the one that I carry with me when I travel and go to conferences.  It's had a lot of damage, but it still runs linuxes just fine.  This particular incarnation is running Debian and I used the BlueZ bluetooth stack/suite (http://www.bluez.org/)

The Bluetooth interface I used is a Belkin Bluetooth USB Adapter (F8T001).

Getting it up and running wasn't trivial; I found the following links to be helpful resources:
http://www.fuschlberger.net/bluetooth/
http://www.kevinboone.com/PF_p800_linux.html (specifically with it's references to bluezfw.)

Actually, nothing I tried could get it to work, until I moved the bluetooth dongle to another USB port.  I'm not sure why that was required, but I'm not always the smartest little Mouseketeer.

While experiementing with other platforms, I found that knoppix includes bluetooth USB support.

The software
While googling on the topic, you will find lots of references to customized software used for the scanning (and by references you see people mention it, but nobody coughs up a link.)  Since my initial goal was simple enumeration of devices and quick assessment of how "juicy" a given target area is, I did not have need for actual bluetooth exploits.  I found that the basic tools in the BlueZ tool suite were sufficient for my needs.

Starting simply with:
    hcitool scan

This will list the hardware ID numbers and a manufacturer's name of any device advertising in range.  That "advertising" part is important.  These would be the wardriving equivalent of wide open WAPs broadcasting.

If you are looking for particular services to exploit -- er enumerate, you can simply scan for devices that support the feature of interest.  For example, to find devices capable of setting up a dial-up internet connections, you would use:
    sdptool search DUN

Other interesting services to search for are FTRN (for file transfer,) and OPUSH.

Blueprinting
A much more scientific way to go about this process is to use bp from the trifinite group (http://trifinite.org/) which I like because it relies on BlueZ's sdptool, and the Bluetooth Device Security Database (http://www.betaversion.net/btdsd/) all glued together with perl.  Nice and simple and hackable.

Their process interrogates a bluetooth device using sdptool browse --tree XX:XX:XX:XX:XX:XX (which might be handy to have around later anyway.)

Antenna Performance
Although the box advertised 100m ranges, a dongle plugged into the side of a laptop isn't in an ideal location for signal reception.  Use of a USB extension cable is recommended.  If you want to get really crazy, place the dongle in the focus point of a parabolic dish (I haven't tried that myself, but I've heard it works for 802.11 dongles.)  You could also hack an external antenna onto your bluetooth interface (http://trifinite.org/trifinite_stuff_bluetooone.html) I haven't tried this either.  The orderlies don't like me around soldering irons and glue-guns.

Sensor Placement
Unlike wardriving, this is more of a sit-and-wait game.  Bluetooth devices and users are mobile, so it's better to pick a proper high-traffic area (or better yet: the meeting room where you're holding your audit kick-off meeting.)  With enough sensors and proper placement, you can track the movement of your bluetooth users within your facility or campus.  I'm sure nobody would do anything bad with that information. :-\

In other related neat-stuff-to-do
Check out http://cellspotting.com for something only peripherally related.

It is my first shift with the new system (be gentle,) any errors in typography, grammar, or HTML syntax are purely my own.
kliston -at- isc sans org
Keywords:
0 comment(s)

Comments


Diary Archives