This Message is thrown together in a hurry with limited Internet
access, please take my aplogise for typos and missing information,
more will follow soon :)
My call for an OSS Bluetooth sniffer during the last 23C3
in Berlin has not been left unanswered, first there was
Max Moser("Bluetooth - Getting raw access") that uncovered
how you can modify a consumer USB stick by flashing it with
a BTSnifferfirmware and get RAW access to it. The question
that was leftwas how to send commands to it, get it into
sniffing mode, synchingit.
Exactly this is what Andrea Bittau and Dominic Spill found out
during their work on a Paper entitled "BlueSniff: Eve meets Alice
and Bluetooth", Andrea further implemented it in C code. The paper
will be shortly be published and presented at this years' USENIX.
In other words a Bluetooth Hacker dream has partially come true,
a cheap and (partialy) open way to sniff and capture packets,
including the pariring-handshake which may than be cracked.
Andrea is currently working on cracking open the very last
thing that holds him from crafting low level Bluetooth packets,
the XAP2 processor, he dissassembled the firmware to find out
how exactly it works, for that he wrote his own dissassembler,
after this he/we may write our own firmware and basicaly do
whatever we like, for example code a full blown fuzzer or full
blown attack device.
Other very interesting findings will be uncovered during the next
weeks, more on this later :)
PS. Renderman will demonstrate the findings at this years
DEFCON during the Church of WiFi, be there (I will)
Information and Files from :
Thierry Zoller - Security Engineer