Happy Thanksgiving! I'm spending the break catching back up on the state of Bluetooth security because, hey, I love the subject. Everyone has a phone with Bluetooth, just about, and many overlook it as a security hole because they feel there's nothing insidious that can be done with just replacing wires with some radio broadcasts. I'll give a quick rundown on how to get Bluetooth working under Linux, then the software I use, and finally give a tool I wrote watching the Dallas Game to speed up identification of Bluetooth devices.

Hardware
Naturally, those "USB Bluetooth devices" that you see in stores are for Windows, so how do you know what will work in Linux? Check this page, put together by Marcel Holtmann, to get an idea. If a device has an HCI version, it almost definitely works under Linux. Unfortunately it hasn't been updated in over a year and a half (March 31st of 2006), but it gives a good estimate of which brands will work. I looked for devices that had decent Newegg ratings, and a history of providing Linux support. In the end I grabbed an IOGEAR GBU221 which has worked perfectly out of the box. Ironically this did NOT get good reviews on Newegg, and Bets Buy had it cheaper, but I promise that is a very rare occurrence.

Software
As far as the drivers go, it's BlueZ or nothing. This is an excellent package that works enough to be qualified Bluetooth 2.0 though with some implementations out there, this may or may not be a selling point. But the point of the matter is, nab this and it'll work just like Windows.
As far as software to interact with Bluetooth devices, it depends on what you want to do. I don't connect my phone via Bluetooth (preferring a USB cable) so I can't help you with that. However make sure you have hcitools installed to pair with devices and scan for new ones around you. To test your set up, put your phone (or headset, or keyboard, or whatever) into detection mode and then run:
hcitools scan
If you're set up, it should detect your device and identify its MAC Address and Device Name.
After you're set up legally checking on your phone, you can try checking out others. Try an hcitools scan in a busy area and see if any phones show up. Or perhaps a parking lot if you're really devious. I'd recommend checking out the Trifinite Group for ideas of what evilness can go on over Bluetooth.

Device Lookup
Now that you have my 2 cent description of how to get Bluetooth working on Linux (Ubuntu 7.10) and done your own research on what vulnerabilities (might) exist out there, you may be interested in a quick way to identify devices you find. Quick identification of devices around you allows for quick knowledge of what exploits exist. I'm not advocating breaking devices, but this may be extremely useful when penetration testing a company or school. I wrote a quick perl script that will take a given MAC address and return the company that device is registered to. It has two text files with it, one is a list of known Bluetooth manufacturers and the device prefixes registered to them, the other is a full list of all MAC prefixes and who they're registered to. Download this tarball, untar the file, change into the mac_address directory, and then run it using:


tar -xf mac_address.tar
cd mac_address
perl mac_lookup.pl 00:16:8f:c0:5X:XX

It'll spit out info looking a little like:


Looking up: 00:16:8f:c0:51:11
Manufacturer Prefix: 00:16:8f
Device Type: c0:51:11
Manufacturer: GN Netcom as

I'm quickly porting it to php and tossing all that info into a database so you'll be able to bounce requests off of a php page to grab the relevant information. More information will come on that in a day or two, once I have it up and running. Of course all this was inspired by the BluePrinting project, and I hope to work that into my database.

EDIT: Whoops, it appears I mis-read a paper and wrote a hasty article. It is not possible to assume the second three bytes of a Bluetooth MAC are the device model, as every manufacturer is different. I've changed bits of the above article to reflect this knowledge, and changed the output of my tool. I'd also like to note there is another tool that is similar to this, @stake's redfang tool. However this tool is used to *find* non-discoverable devices, via brute-force, whereas mine is a simple lookup tool.

Also it should be noted that I'm using the term Bluetooth MAC address, though this may not be the best term. Its also called the Bluetooth Device Address.

Share and Enjoy:
  • Slashdot
  • del.icio.us
  • digg
  • Technorati
  • Facebook