Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How secure is Bluetooth?

Matt Mackall mpm at
Sun Jan 29 15:52:12 PST 2012

On Sun, 2012-01-29 at 14:47 -0800, Brian Conley wrote:
> Thanks Jacob,
> I expected you'd reply thusly. The implementation I'm talking about
> doesn't appear to be compromised based on what I've read in the links
> you've provided. The first link, from usenix, seems to be most
> damning, however doesn't appear to suggest that the packets from a
> voice call can be put back together in such a way they can be listened
> to. Even if that is true, it appears based on what I'm reading that,
> at most, current tools as of that paper, would only enable yo to
> listen to, at most, 2.4 seconds of audio from a one minute call.

Ok, so two academics in '07 get 90% of the way to a fully-working
attack, but are stymied by a silly timing limitation in the
software-defined radio they had on hand. They could trivially fix it by
dropping another $1k on a second USRP for leapfrogging to the next
channel, given that they _have exposed the hopping pattern_.

And you conclude... "not compromised". Huh.

I conclude "compromised for all practical purposes": I could take their
paper and $2000 and build a fully-working attack if I had the
motivation. As could any motivated interception capability vendor. Odds
that this capability already exists: rapidly approaching unity.

Also note that recording the traffic on all 79 3Mbit/s channels is
trivially within the capabilities of any organization that designs its
own hardware. This IC has programmable hop parameters and is < $5:

Slapping 79 of those on a board with a high-gain antenna and a USB
interface left as an exercise for the reader.

Mathematics is the supreme nostalgia of our time.

More information about the liberationtech mailing list