Search Mailing List Archives
[liberationtech] How secure is Bluetooth?
jacob at appelbaum.net
Sun Jan 29 22:23:07 PST 2012
On 01/29/2012 04:09 PM, Brian Conley wrote:
> See my first email please.
> Are there any documented cases of monitoring the audio transmitted between
> a Bluetooth headset and phone.
I guess you're looking for some personal stories or big news stories?
> I am quite aware that Bluetooth is not safe for a variety of reasons.
Please note that your users will likely be targeted by cops with FinFisher:
> When preparing advice for non technical people with very real security
> problems that are known, its important to provide the best advice about
> what is not known in their situation. I've been unable to find any
> information on the viability of intercepting audio transmissions, even the
> 2007 article doesn't appear to suggest for certain that they could
> reconstruct the audio file, merely that the potential might be there.
Audio is a weird way to frame it. You have devices that communicate with
Bluetooth (TM) use common cryptography and protocols. The crypto is
This is a pretty funny read:
Overall, I think it's important to note that even if a device wasn't
used in a discoverable mode, a sniffer can at least passively track and
try to exploit devices nearby after seeing them transmit. This is likely
similiar to Bluejacking:
Here's a project that uses a car as an audio bug:
> I'm only asking if anyone has heard of documented cases of listening in to
> Bluetooth audio. So far it only seems to happen if there is a prior exploit
> in place and that doesn't even appear to be definitive.
R&S sells a solution to sniff traffic between two devices:
"In an active Piconet, where at least two Bluetooth® devices
(one master, one or more slaves) interact with each other, the
USB dongle is air sniffing the communication between those. This
analysis is required to check interoperability of Bluetooth®
devices from different vendors and to troubleshoot problems by
detailed protocol decoding"
Those guys also sell IMSI-catchers if you're in the market...
This "Decrypting Encrypted Bluetooth data with FTS4BT" is also a good read:
Basically, the FTS4BT just needs the pin to decrypt the data and that's
where h1kari's work comes in:
Bluetooth Pin Cracking Core says:
"The bluetooth pin cracking core implements the basic bluetooth pin
cracking attack by generating possible PINs and running then through
SAFER+ to verify if they are correct or not. This uses the pipelined
implementation of SAFER+ and loops the output of the pipeline back into
itsself 7 times to perform all of the E21/E22/E1 functions. The max
clock speed we've been able to run it at on an E-12 is 75MHz which
results in ~10 million PINs per second compared to roughly 40k on a
the openciphers project supports the protocol analyser files produced by
This does HCI and air interface sniffing in sync:
Note the features of that one:
"Extracts Audio into WAV files: Supports A2DP, HSP & HF Profiles with
playback for rapid quality check or performing a more detailed analysis"
And if all of that doesn't convince you that someone can sniff Bluetooth
- I encourage you to read this student's web page:
This seems to be the best buy for your money:
$799.99 for the LeCroy Merlin CATC Mobile Bluetooth Protocol Analyzer
seems like a deal. Even cheaper than the USRP!
If you're looking for other devices for BT sniffing, I also found this:
And finally - the Ellisys equipment:
"The new Ellisys All-Channel sniffer robustly records any packet, at any
time, from any neighboring piconet, with zero-configuration and without
http://www.ellisys.com/products/bex400/ has the best quote:
"Determine PIN codes automatically and decrypt the data on the fly"
Two nice photos of the device and software:
All the best,
More information about the liberationtech