Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How secure is Bluetooth?

Jacob Appelbaum jacob at
Sun Jan 29 22:23:07 PST 2012

On 01/29/2012 04:09 PM, Brian Conley wrote:
> See my first email please.
> Are there any documented cases of monitoring the audio transmitted between
> a Bluetooth headset and phone.

I guess you're looking for some personal stories or big news stories?

> I am quite aware that Bluetooth is not safe for a variety of reasons.

Please note that your users will likely be targeted by cops with FinFisher:

> When preparing advice for non technical people with very real security
> problems that are known, its important to provide the best advice about
> what is not known in their situation. I've been unable to find any
> information on the viability of intercepting audio transmissions, even the
> 2007 article doesn't appear to suggest for certain that they could
> reconstruct the audio file, merely that the potential might be there.

Audio is a weird way to frame it. You have devices that communicate with
Bluetooth (TM) use common cryptography and protocols. The crypto is

This is a pretty funny read:

Overall, I think it's important to note that even if a device wasn't
used in a discoverable mode, a sniffer can at least passively track and
try to exploit devices nearby after seeing them transmit. This is likely
similiar to Bluejacking:

Here's a project that uses a car as an audio bug:

> I'm only asking if anyone has heard of documented cases of listening in to
> Bluetooth audio. So far it only seems to happen if there is a prior exploit
> in place and that doesn't even appear to be definitive.

R&S sells a solution to sniff traffic between two devices:

"In  an  active  Piconet,  where  at  least  two  Bluetooth®  devices
(one  master,  one  or  more  slaves)  interact  with  each  other,  the
 USB  dongle  is  air  sniffing the communication  between  those.  This
 analysis  is  required  to  check  interoperability  of  Bluetooth®
devices  from  different  vendors  and  to  troubleshoot  problems  by
detailed protocol decoding"

Those guys also sell IMSI-catchers if you're in the market...

This "Decrypting Encrypted Bluetooth data with FTS4BT" is also a good read:

Basically, the FTS4BT just needs the pin to decrypt the data and that's
where h1kari's work comes in:

Bluetooth Pin Cracking Core says:

"The bluetooth pin cracking core implements the basic bluetooth pin
cracking attack by generating possible PINs and running then through
SAFER+ to verify if they are correct or not. This uses the pipelined
implementation of SAFER+ and loops the output of the pipeline back into
itsself 7 times to perform all of the E21/E22/E1 functions. The max
clock speed we've been able to run it at on an E-12 is 75MHz which
results in ~10 million PINs per second compared to roughly 40k on a
modern CPU."

the openciphers project supports the protocol analyser files produced by
these devices:

This does HCI and air interface sniffing in sync:

Note the features of that one:
"Extracts Audio into WAV files: Supports A2DP, HSP & HF Profiles with
playback for rapid quality check or performing a more detailed analysis"

And if all of that doesn't convince you that someone can sniff Bluetooth
- I encourage you to read this student's web page:

This seems to be the best buy for your money:

$799.99 for the LeCroy Merlin CATC Mobile Bluetooth Protocol Analyzer
seems like a deal. Even cheaper than the USRP!

If you're looking for other devices for BT sniffing, I also found this:

And finally - the Ellisys equipment:
"The new Ellisys All-Channel sniffer robustly records any packet, at any
time, from any neighboring piconet, with zero-configuration and without
being intrusive." has the best quote:
"Determine PIN codes automatically and decrypt the data on the fly"

Two nice photos of the device and software:

All the best,

More information about the liberationtech mailing list