[liberationtech] How secure is Bluetooth?

Jacob Appelbaum jacob at appelbaum.net
Sun Jan 29 23:45:50 PST 2012

On 01/29/2012 11:05 PM, Brian Conley wrote:
> Thanks Jacob,
> I was looking for documentation from someone who has done it, had it done
> to them, or is offering a product for sale.
> All I had found previously was documentation about sniffing, which is of
> course well known. The FinBluez is interesting, however there are only 3
> references in google, one to the document you linked that says it will be
> available in 2008. Either it never came out, or was renamed.

The FinFisher guys wrote this paper ages ago:
http://www.remote-exploit.org/research/busting-bluetooth-myth.pdf (now gone)

Here's a mirror:

The best quote is here:

During the last year, rumours had come to my
attention that apparently it is possible to
transform a standard 30USD Bluetooth.
dongle into a full-blown Bluetooth. sniffer.
Thinking you absolutely need Hardware to be
able to hop 79 channels 1600 times a second I
was rather suspicious about these claims."

Basically, he took a $30 bluetooth device and constructed a sniffer that
works with downloadable software.

> However it seems clear that Ellisys and ConnectBlue both at least claim to
> offer products that will do this. I was surprised that I found it so
> difficult to locate something like this, since it seemed very likely it
> existed.

Yeah - the fact that FinFisher offers it should cause concern.

> Which brings us to the next question, what is the feasibility or likelihood
> that an unknown individual, communicating via a bluetooth headset and
> otherwise over secure means, can be located, targetted, and intercepted?

What's your threat model? It's impossible to meaningfully answer that
question in the abstract. "It's feasible and likely" if the target
warrants it and "possible" for a kiddie in a cafe.

> Although there are documented accounts of located bluetooth signals from a
> kilometer+ away, would it be reasonable to create such a device in
> combination with one of the sniffers that will decode audio on the fly?
> That sounds reasonable to me, though it seems a limited enough use-case
> that its unlikely its been developed, but much more unlikely to be refined
> and distributed widely.

I'm sure some of the cell phone intercept gear already does this as a
bonus add on feature - probably in shopping malls for tracking movements.

> I would not be surprised if American intelligence agents might have
> something like this, though in some ways it seems more likely governments
> in countries more prone to bluetooth sharing would be more likely to have
> developed such a tool, however it still seems very unlikely.

FinFisher sells it and so governments have it. We know the Egyptians had
it, I bet they had the Bluetooth module but I'm not certain.

> The case I am considering here is something like this:
> Jane is an activist who is communicating via a phone that, for our
> purposes, is secure except for her decision to use a bluetooth headset.
> Jane is not a known activist nor likely to be targeted for special
> monitoring. However the authorities are on a heightened sense of alert and
> looking for activists. She makes, at most, one call per day, at different
> times of the day, and from different locations. Her phone calls are kept
> short, less than three minutes whenever possible, and certainly less than
> five. Jane uses a Bluetooth headset because she wishes to be less
> conspicuous making her phone call.

Jane has patterns - Jane should use a connected headset and Jane will be
better off.

> So what is the likelihood this person's Bluetooth traffic is being
> monitored? It appears to me that the question "can this person's Bluetooth
> traffic be monitored?" is decidedly yes. However the question "IS she being
> monitored?" Is much more murky, however I could be missing something here.
> Further it would be interesting to discuss whether any of the following
> dramatically change the likelihood of her Bluetooth transmissions being
> monitored:
> A. the security of the phone itself
> B. the timing of the call
> C. the location of the call
> D. the length of the call
> E. the individual(s) she calls
> F. ???

The question is impossible to answer. You'll know for sure if the
attacker tells you, not at all if they don't and they take no other
actions, and you'll just go crazy if bad stuff starts to happen and you
have no idea why. If that really is her weak point, I think she should
use a headset that is wired into the phone.

> And yes, I agree, http://en.wikipedia.org/wiki/Bluetooth#Security is pretty
> funny reading.

It's a sad replacement for a wire, eh?

> I think we'd all agree that one of the largest problems here, of course, is
> the closed nature of the Bluetooth protocol, combined with its broad
> adoption by manufacturers. That said, if you need to disguise the fact that
> you are making a phone call, it may be the only option, unless a wired
> headset is feasible.

Yeah, I'm not seeing how it's a good idea. The fact of the matter is
simple - Jane is an activist trying to stay safe, Jane should not do
unsafe things if she can help it. Bluetooth is a luxury that given the
weaponized nature of some of the attackers, I think it is best avoided.
Simply having it on will provide a relative tracking beacon - I imagine
that some airplane modes on cell phones don't disable BT or Wifi...

> Thanks as always for your time and consideration

Sure thing. I'm glad you're asking these questions.

All the best,
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:


If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list