On 01/29/2012 11:05 PM, Brian Conley wrote:
Thanks Jacob,
I was looking for documentation from someone who has done it, had it done to them, or is offering a product for sale.
All I had found previously was documentation about sniffing, which is of course well known. The FinBluez is interesting, however there are only 3 references in google, one to the document you linked that says it will be available in 2008. Either it never came out, or was renamed.
The FinFisher guys wrote this paper ages ago: http://www.remote-exploit.org/research/busting-bluetooth-myth.pdf (now gone) Here's a mirror: bluetooth-pentest.narod.ru/doc/busting_bluetooth_myth_sniffer.pdf The best quote is here: "Introduction During the last year, rumours had come to my attention that apparently it is possible to transform a standard 30USD Bluetooth. dongle into a full-blown Bluetooth. sniffer. Thinking you absolutely need Hardware to be able to hop 79 channels 1600 times a second I was rather suspicious about these claims." Basically, he took a $30 bluetooth device and constructed a sniffer that works with downloadable software.
However it seems clear that Ellisys and ConnectBlue both at least claim to offer products that will do this. I was surprised that I found it so difficult to locate something like this, since it seemed very likely it existed.
Yeah - the fact that FinFisher offers it should cause concern.
Which brings us to the next question, what is the feasibility or likelihood that an unknown individual, communicating via a bluetooth headset and otherwise over secure means, can be located, targetted, and intercepted?
What's your threat model? It's impossible to meaningfully answer that question in the abstract. "It's feasible and likely" if the target warrants it and "possible" for a kiddie in a cafe.
Although there are documented accounts of located bluetooth signals from a kilometer+ away, would it be reasonable to create such a device in combination with one of the sniffers that will decode audio on the fly? That sounds reasonable to me, though it seems a limited enough use-case that its unlikely its been developed, but much more unlikely to be refined and distributed widely.
I'm sure some of the cell phone intercept gear already does this as a bonus add on feature - probably in shopping malls for tracking movements.
I would not be surprised if American intelligence agents might have something like this, though in some ways it seems more likely governments in countries more prone to bluetooth sharing would be more likely to have developed such a tool, however it still seems very unlikely.
FinFisher sells it and so governments have it. We know the Egyptians had it, I bet they had the Bluetooth module but I'm not certain.
The case I am considering here is something like this:
Jane is an activist who is communicating via a phone that, for our purposes, is secure except for her decision to use a bluetooth headset. Jane is not a known activist nor likely to be targeted for special monitoring. However the authorities are on a heightened sense of alert and looking for activists. She makes, at most, one call per day, at different times of the day, and from different locations. Her phone calls are kept short, less than three minutes whenever possible, and certainly less than five. Jane uses a Bluetooth headset because she wishes to be less conspicuous making her phone call.
Jane has patterns - Jane should use a connected headset and Jane will be better off.
So what is the likelihood this person's Bluetooth traffic is being monitored? It appears to me that the question "can this person's Bluetooth traffic be monitored?" is decidedly yes. However the question "IS she being monitored?" Is much more murky, however I could be missing something here. Further it would be interesting to discuss whether any of the following dramatically change the likelihood of her Bluetooth transmissions being monitored:
A. the security of the phone itself B. the timing of the call C. the location of the call D. the length of the call E. the individual(s) she calls F. ???
The question is impossible to answer. You'll know for sure if the attacker tells you, not at all if they don't and they take no other actions, and you'll just go crazy if bad stuff starts to happen and you have no idea why. If that really is her weak point, I think she should use a headset that is wired into the phone.
And yes, I agree, http://en.wikipedia.org/wiki/Bluetooth#Security is pretty funny reading.
It's a sad replacement for a wire, eh?
I think we'd all agree that one of the largest problems here, of course, is the closed nature of the Bluetooth protocol, combined with its broad adoption by manufacturers. That said, if you need to disguise the fact that you are making a phone call, it may be the only option, unless a wired headset is feasible.
Yeah, I'm not seeing how it's a good idea. The fact of the matter is simple - Jane is an activist trying to stay safe, Jane should not do unsafe things if she can help it. Bluetooth is a luxury that given the weaponized nature of some of the attackers, I think it is best avoided. Simply having it on will provide a relative tracking beacon - I imagine that some airplane modes on cell phones don't disable BT or Wifi...
Thanks as always for your time and consideration
Sure thing. I'm glad you're asking these questions. All the best, Jacob _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE