Bluetooth Penetration Testing Framework
last edition: Feb 18, 2011
e-mail: bluetooth-pentest@narod.ru * try to penetrate your device for making it more secure! * bluetooth dao: user -> software -> interface (usb, pcmcia etc) -> chip with bt firmware -> transmitter -> amplifier -> antenna ~> 2.402-2.480GHz ~> antenna -> amplifier -> reciever -> chip with bt firmware -> interface (usb, pcmcia etc) -> software -> user
+ Feb 18: Added Bluelog - Tool to log discoverable Bluetooth devices in the area, with optional web front end.web + Apr 21: new version (090417) of BlueMaho - GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do - testing to find unknown vulns. Also it can form nice statistics. web + Feb 04: obexstress.py - script for testing remote OBEX service for some potential vulnerabilities. tests available commands, may find directory transversing, tests if some characters in file name can cause a DoS, tests if long file name can cause a DoS. download v0.1 + Jan 10: bluesquirrel - set of tools and scripts for automation of scaning for devices, breaking pairing relashionships between them, sniffing pairing procedure with frontline.c, cracking PIN and linkkey with btpincrack, and then emulating (spoofing) connection. for sniffing you need dongle with FTS4BT firmware. download v0.1 + Jan 04: ibluetoothproject.tk - bringing fully functional bluetooth to your iPhone! + Jan 02: Where and how bluetooth stacks storing linkkeys?
www.palowireless.com - Palowireless Bluetooth Resource Center www.bluetooth.com - How Bluetooth Technology Works, Core Specification etc www.holtmann.org - Bluetooth and Linux www An Introduction to Bluetooth programming in GNU/Linux www Bluetooth Essentials for Programmers. Albert S. Huang, Larry Rudolph www Bluetooth on FreeBSD www Digital Munition www trifinite.org www Datenterrorist www BT maillist www bluetoothtracking.org www Seguridad Mobile book Bluetooth Security. Gehrmann, Persson and Smeets. Artech House, 2004 pdf Bluetooth Security White Paper. Bluetooth SIG Security Expert Group, 2002 pdf Studying Bluetooth Malware Propagation. Merloni, Carettoni and Zanero, 2007 pdf Guide to Bluetooth Security, NIST, 2008
BlueZ - Official Linux Bluetooth protocol stack, BlueZ Wiki PyBluez - PyBluez is an effort to create python wrappers around system Bluetooth resources to allow Python developers to easily and quickly create Bluetooth applications. LightBlue - a cross-platform Python Bluetooth API - - - multifunctional security tools BlueMaho - BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do - testing to find unknown vulns. Also it can form nice statistics. web, download v090417 Bluediving - Bluetooth penetration testing suite for GNU Linux 2.4 / 2.6 and FreeBSD. It implements attacks like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, has features such as Bluetooth address spoofing, an AT and a RFCOMM socket shell and implements tools like carwhisperer, bss, L2CAP packetgenerator, L2CAP connection resetter, RFCOMM scanner and greenplaque scanning mode (using more than one hci device). download v0.9 / web BT Browser MIDlet is a J2ME MIDP MIDlet that can browse and explore the technical specification of surrounding bluetooth devices. You can browse device bluetooth information and all supported profiles and service records on each device. This is a great utility tool to sniff bluetooth information as well as to validate your Bluetooth applications. BT Browser 2.0 works on phones that support JSR-82 (Java Bluetooth or JABWT) specification. download v2.0 btCrawler btCrawler is a simple bluetooth scanner for Windows Mobile based devices. It scans for other visible devices in range and can perform a service query. You can also query for services of your own device and do some selfdiagnostic stuff. In the device list: COD means "Class of Device" (see bluetooth specification for more info). In the output window, when the sdp services are listed, "ChId" means Channel ID, which is the RFCOMM Channel the service is listening on. It supports both, landscape and portrait screens. As of version 1.0 bluejacking and bluesnarfing is supported. download v1.1, web Blooover II is a J2ME mobile phone auditing tool. Besides the BlueBug attack, it supports the HeloMoto attack (which is quite close to the BlueBug attack), the BlueSnarf and the sending of malformed objects via OBEX. Runs on phones with MIDP 2.0 and JSR-82. download, web BT Audit is a suite of tools used to scan L2CAP PSMs (Protocol Service Multiplexers) and RFCOMM channels on a remote Bluetooth device. download v0.1.1, web bluesn0w - bringing fully functional bluetooth to your iPhone! "we want to port EVERY BlueTooth profile to the iPhone." download beta, releases, web - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CSR Support Home Page Free space link distance calculator q. can we make it opensource? *** List of bluetooth hardware for hacking purposes ***If you want to add some info - please mail bluetooth-pentest@narod.ru !
* Features: BD_ADDR - we can change BD_ADDR, with bccmd for example firmware - we can upload/download firmware frontline.c - we can use it with frontline.c FTS4BT - we can use it with FTS4BT VID&PID - we can change the VID&PID hardware modifications: USB Linksys (USBBT100) [USB 1.1 / BT 1.1 / Class 1] dongle. External antenna mod USB MSI (MS-6967) [USB 1.1 / BT 1.1 / Class 1] dongle. External antenna mod Ambicom FrankenDongle mod - 'class 2 USB Bluetooth dongle with antenna connector' Zoom 4310BF USB dongle mod - 'class 1 USB Bluetooth 2.0 dongle with pigtail' BluezJeans? - 'clothing for use with GreenPlaque' Yagi Antenna and Bluetooth dongle My Bluetooth Sniper Weapon. Nice designed device based on Linksys dongle + YAGI Conceptronic CBT200U2 [2.0/2.0+EDR/Class1] antenna connector mod # interesting antennas: http://www.usbwifi.orcon.net.nz, wokfi how-to Ez-12 Parabolic Reflector, template usefull tools/commands: lsusb -v - linux tool to list USB devices hciconfig from BlueZ - configure Bluetooth devices hciconfig hciN -a - get extended info about hciN device hciconfig hciN commands - display supported commands hciconfig hciN features - display device features hciconfig hciN revision - display revision information bccmd from BlueZ - utility for the CSR BCCMD interface bccmd -d hciN buildname - get the full build name bccmd -d hciN memtypes - get memory types bccmd -d hciN pslist - list all PS keys bccmd -d hciN psread - read all PS keys hcidump from BlueZ - reads raw HCI data coming from and going to a Bluetooth device (which can be specified with the option -i, default is the first available one) and prints to screen commands, events and data in a human-readable form. hcidump -i hciN -t -X -V - prints a lot of data firmware dfutool from BlueZ - device firmware upgrade utility dfutool verify <dfu-file> - display information about the firmware file dfutool modify <dfu-file> - change DFU specific values in the firmware file dfutool -d hci0 upgrade <dfu-file> - upgrade the device with a new firmware dfutool -d hci0 archive <dfu-file> - archive the current firmware of the device xap2.zip - tools for reverse engineering CSR Firmware. the tools include firmware extractor, disassembler, assembler and tool to do a diff to see if there are any differences between the resulting firmware and the original one. q. write a firmware for CSR based device, which might include raw access for sniffing and will be able to transmit raw packets. device visibility hciconfig hciN piscan - enable page and inquiry scan visibility hciconfig hciN noscan - disable page and inquiry scan visibility hciconfig hciN iscan - enable inquiry scan, disable page scan visibility hciconfig hciN pscan - enable page scan, disable inquiry scan visibility change the name and class of device set local name to name fue: hciconfig hciN name <fue> set class of device to 0x00000: hciconfig hciN class <0x00000> ~ web-based Bluetooth Class of Device/Service (CoD) Generator ~ change the CoD of your Bluetooth enabled PalmOS device - BTClass q. smartphones? change the VID&PID set usb vendor id to 0x0a12: bccmd -d hciN psset -s 0x0001 0x02be 0x0a12 set usb product id to 0x0001: bccmd -d hciN psset -s 0x0001 0x02bf 0x0001 ~ List of USB ID's http://www.linux-usb.org/usb.ids change the BT device address (BD_ADDR) bccmd from BlueZ, set the bluetooth address to 01:02:03:04:05:06: bccmd -d hciN psset -r bdaddr 0x04 0x00 0x06 0x05 0x03 0x00 0x02 0x01 setbtaddr.py - python wrapper for the bccmd command to set the btaddr setbd-affix.c Tool to Set Ericsson ROK 101 008 Bluetooth Address using Affix stack setbd-bluez.c set BD_ADDR on Ericsson ROK 101 008 using bluez setbd-gumstix-bluez.c Bluez tool to set BD_ADDR on Infineon ROK 104 001 bdaddr from BlueZ for some Ericsson, CSR, Texas Instruments, Zeevo, ST Microelectronics: bdaddr -i hciN <new_addr> ~ public OUI listing - http://standards.ieee.org/regauth/oui/index.shtml q. change bb_addr on smartphones? q. digital signal generator? noise generator for make a DoS to all devices in range? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
hcitool -i hciN inq - inquire remote devices. for each discovered device, Bluetooth device address, clock offset and class are printed. hcitool -i hciN scan --info --class - inquire remote devices. for each discovered device, Bluetooth device address, device name, clock offset, class, version and supported features are printed. hcitool -i hciN info bdaddr - print device name, version and supported features of remote device with Bluetooth address bdaddr. Bluelog is a Bluetooth site survey tool, designed to tell you how many discoverable devices there are in an area as quickly as possible. Bluelog differs from most Bluetooth scanners in that it prioritizes speed of reporting over anything else (i.e. it doesn't spend time trying to pull detailed data from a device) and doesn't require any user intervention to function. As the name implies, its primary function is to log discovered devices to file rather than to be used interactively. Bluelog could run on a system unattended for long periods of time to collect data. In addition to basic scanning, Bluelog also has a unique feature called "Bluelog Live", which puts results in a constantly updating Web page which you can serve with your HTTP daemon of choice. Download 0.9.8, web btscanner is a tool designed specifically to extract as much information as possible from a Bluetooth device without the requirement to pair. A detailed information screen extracts HCI and SDP information, and maintains an open connection to monitor the RSSI and link quality. btscanner also contains a complete listing of the IEEE OUI numbers and class lookup tables. Can use multiple dongles when scanning. Finds non-discoverable Bluetooth devices by brute-forcing device's Bluetooth address. Linux, BlueZ. download v2.1, web Fine Tooth Comb is a bluetooth detection program for FreeBSD 5.x. It will run a periodic inquiry, report on devices that try to connect to the detecting system, and optionally attempt a brute force connection scan to find other bluetooth devices. download v0.1, web BluetoothView is a small utility that runs in the background, and monitor the activity of Bluetooth devices around you. For each detected Bluetooth device, it displays the following information: Device Name, Bluetooth Address, Major Device Type, Minor Device Type, First Detection Time, Last Detection Time, and more. BluetoothView can also notify you when a new Bluetooth device is detected, by displaying a balloon in your taskbar or by playing a small beep sound. by Nir Sofer. download v1.11, web bluediving BTbrowser btCrawler redfang finds non-discoverable Bluetooth devices by brute-forcing the last six bytes of the device's Bluetooth address and doing a read_remote_name(); supports multiple threads for substantial speed gains using multiple devices (maximum theoretical limit of 127 USB devices). Linux, BlueZ. download v2.5 greenplaque - bluetooth multi-dongle discovery scanner. linux, BlueZ. download v1.5, web bluetracker.py - script for tracking link quality and rssi (recieved signal strength) for specified remote bluetooth enabled device. download v0.2 *** air sniffing ***pdf Busting The Bluetooth Myth - Getting RAW Access. Max Moser, 2007txt Bluetooth Sniffing For Less, 2007 txt BlueSniff: Eve meets Alice and Bluetooth. Dominic Spill & Andrea Bittau, 2007 gr-bluetooth.tar.gz a build tree with examples, Makefiles, etc that demonstrate how to write signal processing blocks for the GNU Radio system. download, web frontline.c.zip opensource air sniffer by sorbo. download - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pdf Analysis of the E0 Encryption System. Fluhrer, Lucks, 1999. pdf Correlation Properties of the Bluetooth Combiner Generator. Hermelin, Nyberg, 1999. pdf An Algebraic Attack on the Bluetooth Key Stream Generator. Armknecht, 2002. pdf A Linearization Attack on the Bluetooth Key Stream Generator. Armknecht, 2002. pdf Improved key recovery of level 1 of the Bluetooth Encryption System. Fluhrer, 2002. pdf Cryptanalysis of Bluetooth Keystream Generator Two-level E0. Yi Lu, Vaudenay, 2004. pdf Faster Correlation Attack on Bluetooth Keystream Generator E0. Yi Lu, Vaudenay, 2004. pdf The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption. Yi Lu, Meier, Vaudenay, 2005. pdf Cracking the Bluetooth PIN. Yaniv Shaked, Avishai Wool, 2005. pdf A uniform framework for cryptanalysis of the Bluetooth E0 cipher. O. Levy, A. Wool, 2005 pdf Cryptanalysis of the Bluetooth E0 cipher using OBDD's. Y. Shaked and A. Wool, 2006 pdf Shake well before use: two implementations for implicit context authentication. Rene Mayrhofer and Hans Gellersen, 2007 btpincrack the bluetooth pin cracking core implements the basic bluetooth pin cracking attack by generating possible PINs and running then through SAFER+ to verify if they are correct or not. This uses the pipelined implementation of SAFER+ and loops the output of the pipeline back into itsself 7 times to perform all of the E21/E22/E1 functions. download v0.3 web BTcrack is a PIN Brute force Proof of Concept tool, BTCrack is aimed at reconstructing the Passkey and the Link key from captured Pairing exchanges. Win32. web download v1.1 bluesquirrel - set of tools and scripts for automation of scaning for devices, breaking pairing relashionships between them, sniffing pairing procedure with frontline.c, cracking PIN and linkkey with btpincrack, and then emulating (spoofing) connection. for sniffing you need dongle with FTS4BT firmware. download v0.1 BT Info by Marek Bialoglowy is a program to control and read informations from other phone. after pairing you can read sms, make calls and other things on a remote phone. require MIDP 2.0, CLDC 1.0, JSR-82. download jar v1.08, web txt Bluetooth social engineering. Marek Bialoglowy, 2005. txt BlueBump - use social engineering to get connection to unauthorised channels txt Backdoor in Nokia 3610, 7650 txt BlueDump - cause a Bluetooth device to 'dump' it's stored link key txt BlueChop is an attack that disrupts any established bluetooth piconet txt Fake bluetooth access point txt Nokia Symbian 60 "Bluetooth Nickname" remote restart txt Mode3 Abuse txt TheftOfLinkKey - Notes on using a hijacked Bluetooth Link Key to spoof connections txt Static Bluetooth PIN codes txt Playing with Ericsson ROK 101 008, Nokia 3660 and Jabra BT110 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
l2ping from BlueZ - send L2CAP echo request and receive answer l2ping [-i -f - kind of flood ping, reduces the delay time between packets to 0 -r - Reverse ping (gnip?). Send echo response instead of echo request l2cap-packet.c - L2CAP packetgenerator l2cap-packet -a <bdaddr> -c <l2cap_code> -i <l2cap_ident> -p <payload> -s <l2cap_headersize> psm_scan from BT Audit - find open L2CAP PSMs by scanning a certain range psm_scan -s [<start_psm>] [-e <end_psm>] <bd_addr> -o BSS (Bluetooth Stack Smasher) is a L2CAP layer fuzzer. download v0.8, web txt BlueSmack - L2CAP 'Ping of Death' txt DoS in Nokia 7650, 6600, Siemens V55, Motorola S55 txt Another Nokia N70 Bluetooth remote Denial of Service txt Buffer Overrun (BlueSmack) in Toshiba Bluetooth Stack for Windows <= 4.0.23 txt Sony/Ericsson L2CAP Length Field DoS. Sony/Ericsson K600i, V600i, K750i, W800i code txt BlueZ hcidump <= 1.29 L2CAP Length Field DoS code - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
rfcomm_scan from BT Audit - find open RFCOMM channels by scanning a certain range rfcomm_scan -s [<start_channel>] [-e <end_channel>] <bd_addr> -o atshell.c AT-shell over rfcomm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sdptool from BlueZ: sdptool records addr, or BTbrowser, or bluediving - - - - - - - - - - - - - - - - - - - - - - +
Hands-Free Audio Gateway / Hands-free Profile (HFP), 0x111F
txt Widcomm BTW <= 4.0.1.1500 for Windows Remote Audio Eavesdropping. DMA[2005-1214a] txt Hijacking Headsets for Fun and Profit. Plantronics M2500, Anycom Stereo Headset txt Motorola Blueline attack - AT level access to the phone. Motorola PEBL U6, V600, E398 Car Whisperer ( download v 0.2 / web ) with realtime audio patch, or already patched carwhisperer from bluediving - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
OBEX File Transfer / File Transfer Profile (FTP), 0x1106
+ Object Push / Object Push Profile (OPP), 0x1105 BlueZObex-Maemo - BlueZ OBEX tools compiled to be used on a Nokia 770 Tablet PC. download OpenOBEX Free open source implementation of the Object Exchange (OBEX) protocol. web ObexFTP ObexFTP library provides access to the PUSH, GOEP and SYNCH services. web BlueSpam - PalmOS tool that searches for bluetooth devices and spams them with small text if they support OBEX download v0.4.3, web obexstress.py - script for testing remote OBEX service for some potential vulnerabilities. tests available commands on remote device, may find directory transversing, tests if some characters in file name can cause a DoS, tests if long file name can cause a DoS. download v0.1 txt BlueSnarf - get an unauthorized access to the remote data by OBEX Push BlueSnarf++ - full read/write access when connecting to the OBEX Push Profile txt use Blooover II or Bluediving or bluesnarfer to implement it vulnerable: Ericsson T68(20R1B,20R2A013,20R2B013,20R2F004,20R5C001); Sony Ericsson R520m(20R2G), T68i(20R1B,20R2A013,20R2B013,20R2F004,20R5C001), T610(20R1A081,20R1L013,20R3C002,20R4C003,20R4D001), Z1010, Z600(20R2C007,20R2F002,20R5B001); Nokia 6310(04.10,04.20,4.07,4.80,5.22,5.50), 6310i(4.06,4.07,4.80,5.10,5.22,5.50,5.51), 8910, 8910i txt Nokia 7610, 3210 ":" and "\" denial of service in OBEX txt Nokia N70/N73 OBEX Implementation Denial of Service (":" and "\" etc) txt Motorola P2K Platform setpath() overflow in OBEX File Transfer. Motorola PEBL U6, V600 txt Bluetooth dot dot attack against HP Ipaq 2215, Apple OSX txt HeloMoto - take control of the device by means of AT-commands using OBEX Push. use helomoto or helomoto-maemo for Nokia 770 Tablet PC. web vulnerable: Motorola V80, V5xx, V6xx and E398 txt Nokia 9500 vCard Viewer Remote Denial of Service Vulnerability txt Sony Ericsson P900 Beamer Malformed File Name Handling DoS Vulnerability txt Widcomm 1.4.2 remote code execution vulnerability in "PIM Item Transfer" txt BluePIMped. Exploiting The Widcomm BTStackServer. vulnerable: Ambicom btysb1.4.2w.zip 1.4.2 Build 10, Actiontec Bluetooth Software (ver 1.1), Belkin Bluetooth Software 1.4.2 Build 10. BluePIMped.diff - 'ussp-push-0.4 patch - exploit for Widcomm BTStackServer 1.4.2' txt Notes on the Ipaq version of the Widcomm overflow. Ipaq 2215, WIDCOMM BTW-CE 1.4.1 txt AmbiCom Object Push Buffer Overflow. AmbiCom Blue Neighbors <= V2.50 Build 2500. DMA[2006-0115a] txt Toshiba Bluetooth Stack <=v4.00.23(T) Directory Transversal. DMA[2006-0112a] txt Widcomm BTW < 3.0.1.905 Directory Transversal. DMA[2005-0412a] txt IVT BlueSoleil 1.4 Directory Transversal. DMA[2005-0401a] txt Bluetooth 'flooded with prompts' DoS by OBEX Push txt Sending file biggest than free space on remote device can cause a DoS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
Serial Port / Serial Port Profile (SP), 0x1101
txt BlueBug - creates a serial profile connection to the device without authorization use Blooover II or Bluediving or bluebugger or blueserial-maemo for Nokia 770 Tablet PC vulnerable: Nokia 6310i(4.06,4.07,4.80,5.10,5.22,5.50,5.51); Motorola V600, V80; Sony Ericsson T610(20R1A081) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
HID / Human Interface Device(HID) Profile, 0x0011
txt HID Attack (attacking HID host implementations) hidattack - basic example on how to attack HID servers. download v0.1, web - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
txt Affix-2.1.1 Kernel. Nokia Affix Bluetooth Integer Underflow. DMA[2005-0423a] txt Affix-3.2.0 btsrv. Nokia Affix Bluetooth btsrv poor use of popen(). DMA[2005-0826a] txt Affix-3.2.0 btftp client. Nokia Affix Bluetooth btftp client buffer overflow. DMA[2005-0712a] txt Linux Kernel < 2.4.33.5 Bluetooth Null Pointer Deference Denial Of Service Vulnerability txt Linux kernel < 2.6.11.5 bluetooth stack local root exploit txt Red-M 1050. Multiple Red-M 1050 Blue Tooth Access Point Vulnerabilities txt Sobexsrv-1.0pre3. Scripting/Secure OBEX Server format str vulnerability. DMA[2005-1202a] txt Where and how bluetooth stacks storing linkkeys? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |