[liberationtech] How secure is Bluetooth?
jacob at appelbaum.net
Sun Jan 29 22:23:07 PST 2012
On 01/29/2012 04:09 PM, Brian Conley wrote:
> See my first email please.
> Are there any documented cases of monitoring the audio transmitted between
> a Bluetooth headset and phone.
I guess you're looking for some personal stories or big news stories?
> I am quite aware that Bluetooth is not safe for a variety of reasons.
Please note that your users will likely be targeted by cops with FinFisher:
> When preparing advice for non technical people with very real security
> problems that are known, its important to provide the best advice about
> what is not known in their situation. I've been unable to find any
> information on the viability of intercepting audio transmissions, even the
> 2007 article doesn't appear to suggest for certain that they could
> reconstruct the audio file, merely that the potential might be there.
Audio is a weird way to frame it. You have devices that communicate with
Bluetooth (TM) use common cryptography and protocols. The crypto is
This is a pretty funny read:
Overall, I think it's important to note that even if a device wasn't
used in a discoverable mode, a sniffer can at least passively track and
try to exploit devices nearby after seeing them transmit. This is likely
similiar to Bluejacking:
Here's a project that uses a car as an audio bug:
> I'm only asking if anyone has heard of documented cases of listening in to
> Bluetooth audio. So far it only seems to happen if there is a prior exploit
> in place and that doesn't even appear to be definitive.
R&S sells a solution to sniff traffic between two devices:
"In an active Piconet, where at least two Bluetooth. devices
(one master, one or more slaves) interact with each other, the
USB dongle is air sniffing the communication between those. This
analysis is required to check interoperability of Bluetooth.
devices from different vendors and to troubleshoot problems by
detailed protocol decoding"
Those guys also sell IMSI-catchers if you're in the market...
This "Decrypting Encrypted Bluetooth data with FTS4BT" is also a good read:
Basically, the FTS4BT just needs the pin to decrypt the data and that's
where h1kari's work comes in:
Bluetooth Pin Cracking Core says:
"The bluetooth pin cracking core implements the basic bluetooth pin
cracking attack by generating possible PINs and running then through
SAFER+ to verify if they are correct or not. This uses the pipelined
implementation of SAFER+ and loops the output of the pipeline back into
itsself 7 times to perform all of the E21/E22/E1 functions. The max
clock speed we've been able to run it at on an E-12 is 75MHz which
results in ~10 million PINs per second compared to roughly 40k on a
the openciphers project supports the protocol analyser files produced by
This does HCI and air interface sniffing in sync:
Note the features of that one:
"Extracts Audio into WAV files: Supports A2DP, HSP & HF Profiles with
playback for rapid quality check or performing a more detailed analysis"
And if all of that doesn't convince you that someone can sniff Bluetooth
- I encourage you to read this student's web page:
This seems to be the best buy for your money:
$799.99 for the LeCroy Merlin CATC Mobile Bluetooth Protocol Analyzer
seems like a deal. Even cheaper than the USRP!
If you're looking for other devices for BT sniffing, I also found this:
And finally - the Ellisys equipment:
"The new Ellisys All-Channel sniffer robustly records any packet, at any
time, from any neighboring piconet, with zero-configuration and without
http://www.ellisys.com/products/bex400/ has the best quote:
"Determine PIN codes automatically and decrypt the data on the fly"
Two nice photos of the device and software:
All the best,
liberationtech mailing list
liberationtech at lists.stanford.edu
Should you need to change your subscription options, please go to:
If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
You will need the user name and password you receive from the list moderator in monthly reminders.
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy