Wednesday, 17 October 2012

Discovering Bluetooth Devices

In July 2011 Michael Ossmann wrote a blog post entitled "Discoverability is Not a Mitigating Factor" which discussed the Bluetooth security advice being given about discoverable devices by people and organisations that should know better.  It is worth reading his post in full, but I'll quote two important parts here:

"LAP sniffing is easy. Spill and Bittau showed how to sniff LAPs with a USRP for about $1000. Now it can be done with an Ubertooth One for about a tenth of that price. It can even be done using Travis Goodspeed's method for promiscuous sniffing with lower cost platforms."

"The UAP is only slightly more difficult for an attacker to learn. Project Ubertooth and gr-bluetooth include software that implements automatic UAP determination based on passive observation of just a few packets."

I completely agree with Michael on this, the methods for retrieving the LAP and UAP are easy and well known, but we still hear advice suggesting that turning off the discoverable setting for your device will protect it from being found by malicious attackers.  So, taking in to account Wright's law:

“Security will not get better until tools for practical exploration of the attack surface are made available.” -Josh Wright

I wrote a tool that would initiate a standard Bluetooth device scan, but also add devices discovered with the Ubertooth.  I call the tool "ubertooth-scan" and it's available from the master branch of the Ubertooth git repository.

Ubertooth-scan requires an Ubertooth and a standard Bluetooth device on a host with libbluetooth (bluez) installed.  First we use the Bluetooth device to perform an HCI scan, this is the same as running "hcitool scan" from the command line.  The second part of the tool uses the Ubertooth to promiscuously sniff for Bluetooth packets, retrieving the LAP and UAP values before handing them over to libbluetooth to query the device name.  Most non-discoverable devices respond to name inquiries.

I've also added an extended query (triggered by the -x option) which will check the device for supported features, chipset version and clock offset from the local device.

Using a dongle to get the clock offset for a remote device allows us to calculate the clock value of the target and use that to hop along with the piconet, dumping packet data to screen as we go.  Here's a quick snippet of the code in action, apologies for the low quality video:

I'll be presenting this in more detail, along with other recent developments in the Ubertooth project, at Ruxcon this weekend.  If you are in Melbourne or are already planning to attend Ruxcon, and would like more detail, please come to my presentation at 2pm on Sunday in track 1. 

Thursday, 11 October 2012

Ubertooth and libbtbb Release 2012-10-R1

The latest release of the Ubertooth software is now available.  The 2012-10-R1 release contains numerous bug fixes and minor improvements as well as some large architectural changes.

The host code for both Ubertooth and libbtbb is now easier to compile, with major simplifications to the process for the btbb Wireshark plugin.  Build instructions can be found on the Ubertooth website.

As development has shifted from a subversion repository to a git repository, we no longer have sequential revision numbers to use for release naming.  All future releases will be named using the year and month of release.

When using the latest release it is necessary to update the firmware on your Ubertooth.  Binary firmware images can be found in the release package, and flashed to the Ubertooth using the ubertooth-dfu tool (ubertooth-dfu --write <image-filename.dfu> --detach).  The host code needs to be built and installed before updating firmware images.  Alternatively firmware images can be built using the ARM embedded variant of gcc.

The release notes for the ubertooth 2012-10-R1 release are as follows:

Release Notes

The Ubertooth host utilities in this release require libbtbb-2012-10-R1 or greater, it can be found at

These are just the highlights.  For a complete list of changes since the previous release, see the git log.

 - libubertooth

   The core Ubertooth functions are now packaged as a library, which allows us to have some independence between the core ubertooth functions and the tools that use them, such as ubertooth-* and the kismet plugin.  This should also help with future binary packaging.

 - Firmware flashing

   The ubertooth-dfu tool now attenpts to identify Ubertooth devices and put them in to firmware upgrade mode.  Multiple arguments can also be passed to ubertooth-dfu and will be executed in the order specified ont he commandline.  To flash firmware on to an ubertooth device, use the following command:
     ubertooth-dfu --write <firmware_image.dfu> --detach

 - Bluetooth Low Energy (Experimental)

   Bluetooth Low Energy (Bluetooth Smart) sniffing is experimentally supported by the bertooth-btle tool. The tool can be used to sniff the connection   setup procedure between devices; promiscuous sniffing is available but is extremely experimental. Credit for this achievement goes to Mike Ryan.

 - Ubertooth-follow

   Ubertooth-follow has been added to the set of Ubertooth commandline tools.  It retrieves the clock value from a local device using libbluetooth (bluez) and uses the Ubertooth to hop in time with the piconet.  To build ubertooth-follow use "make clock_debug=true".

 - Git

   Since the last release we have moved the source repository from SVN to Git.  This should not affect the released code, but makes life easier for those of us working on the code.