21-07-2012, 04:53 PM
Bluesniff - The Next Wardriving Frontier
[attachment=28411]
Bluetooth Basics
NOT 802.11! NOT a relative of 802.11!
Cable replacement technology
Low power for embedded devices
More BT radios than 802.11 radios in existence
Phones, headsets, laptops, mice, keyboards
Master / Slave architecture
Bluetooth Protocol
Uses 2.4 GHz ISM band, same as 802.11b/g
Generally low power
Class 3 (1mW) for most devices
Some Class 1(100mW) devices exist
Frequency Hopping Spread Spectrum
Uses a pre-defined hopping pattern
Back in the day, FHSS was a “security” mechanism
Resists interference
1MHz wide, hopping every 625 microseconds
A real disaster of a protocol stack
Heck, the core spec is 1024 pages.. Good reading!
Specifies from Layer 1 to Layer 7
High points
RF-level sync
Inquiry/request
Service discovery
Low power modes
Bluetooth Security
Pairing
Using a shared secret (PIN), exchange random number to form key
Key used to derive session key for future comms
Used for Trusted <-> Trusted comms
Bluetooth Attacks
Interception of traffic during pairing
Brute force guess the PIN to recover key
Know the PIN b/c it’s imbedded
More likely poorly developed software
In BT, security is “optional”
Or simply bad defaults
File sharing with no AA/E in discoverable mode was the DEFAULT for my BT driver on my PDA
Just like the early days of 802.11b
[attachment=28411]
Bluetooth Basics
NOT 802.11! NOT a relative of 802.11!
Cable replacement technology
Low power for embedded devices
More BT radios than 802.11 radios in existence
Phones, headsets, laptops, mice, keyboards
Master / Slave architecture
Bluetooth Protocol
Uses 2.4 GHz ISM band, same as 802.11b/g
Generally low power
Class 3 (1mW) for most devices
Some Class 1(100mW) devices exist
Frequency Hopping Spread Spectrum
Uses a pre-defined hopping pattern
Back in the day, FHSS was a “security” mechanism
Resists interference
1MHz wide, hopping every 625 microseconds
A real disaster of a protocol stack
Heck, the core spec is 1024 pages.. Good reading!
Specifies from Layer 1 to Layer 7
High points
RF-level sync
Inquiry/request
Service discovery
Low power modes
Bluetooth Security
Pairing
Using a shared secret (PIN), exchange random number to form key
Key used to derive session key for future comms
Used for Trusted <-> Trusted comms
Bluetooth Attacks
Interception of traffic during pairing
Brute force guess the PIN to recover key
Know the PIN b/c it’s imbedded
More likely poorly developed software
In BT, security is “optional”
Or simply bad defaults
File sharing with no AA/E in discoverable mode was the DEFAULT for my BT driver on my PDA
Just like the early days of 802.11b