== Introduction == New research has shown that it is possible to recompose the MAC address and unwhiten data on Bluetooth devices set to be undiscoverable. Furthermore it has been discovered that commercial Bluetooth sniffing packages are not tied to their hardware but have most of their sniffing capabilities implemented in software. We wish to bring Bluetooth sniffing capabilities to the masses, in as simple a way as possible. This would be an extension of [wiki:UmitBluetooth UmitBluetooth]. More information [wiki:BluetoothSniffing/Proposal] == Proposed Approach == We intend to integrate our Bluetooth Sniffer with [wiki:PacketManipulator PacketManipulator], either as a plugin or with integration into the main application itself. Note that Bluetooth sniffing capability requires accompanying hardware. We will explore methods and implementations to flash firmware to Bluetooth hardware, which will allow us to more readily sift through data sent on FHSS. [[BR]]We then intend to display the data in PacketManipulator. PacketManipulator already has an intuitive interface for the display of packets that can be adapted to == Features == 1. Pin-crack over pairing process. 1. Decomposition of Bluetooth protocol data units sent between master and slave devices. 1. Does not require pairing with master or slave device. == Current Limitations == 1. Pairwise sniffing only. 2. Requires specific hardware and firmware. 3. Must have knowledge of master/slave device addresses. 4. Periodic syncing of sniffing hardware required. == Known Issues == 1. Hardware dependency a. Bluetooth sniffing done cheaply can only be carried out over certain makes of Bluetooth USB adapters. In particular, those making use of the CSR chipset which can be reflashed with firmware that would allow sniffing to take place. Umit's BTSniffer is basically an extension of the original [http://darkircop.org/pipermail/bt/2007-July/000001.html Frontline] tool developed by Andrea Bittau. So it is subject to the same restrictions. a. Currently testing is done with the D-Link DBT-120 (Rev C1) Bluetooth USB adapter. This has been reflashed appropriately, with [http://nicholsonsecurity.com/2008/09/25/howto-hack-your-dbt-120-to-run-in-raw-mode/ tutorials] online for how this can be done. 1. Platform dependency a. Currently being tested on [http://www.remote-exploit.org/backtrack_download.html Backtrack 3]. Errors returned when sniffing in other distros (testing was also done on Ubuntu 9.04). Problems have been traced to Linux kernel updates to Bluetooth functionality over USB. 1. Pin-cracking a. Pin-cracking requires the capture of an exact sequence of LMP data units between devices during the pairing process. Failure to catch any of the packets (which can happen) voids the process. Other data dependencies would be the MAC address of the master and the slave devices being paired. a. It can be a time-consuming process, depending on the length of the PIN. A 9 digit PIN took more than half an hour to crack on a 256 MB RAM virtual machine running Backtrack 3 with a single core. == Milestones == 1. Integration of Bluetooth sniffing functionality with PacketManipulator. (Incomplete) 2. Development of new (by hacking of old) firmware for installation into USB dongles for the detection of Bluetooth traffic. (Incomplete) 3. Implementation of method to decode Bluetooth device MAC address from sniffed packets. (Incomplete) == Draft Interfaces == 1. Program Entry Point [[BR]][[BR]] [[Image(btsniff1.png, 500px)]] 2. Settings and selection of sniffing interface [[BR]][[BR]] [[Image(btsniff2.png, 500px)]] 3. Bluetooth capturing in PacketManipulator [[BR]][[BR]] [[Image(btcapture1.png, 700px)]] 4. Sniffing an l2ping in PacketManipulator [[BR]][[BR]] [[Image(btcapture2_withlmp.png, 700px)]][[BR]][[BR]] [[Image(btcapture3_withlmp.png, 700px)]][[BR]][[BR]] [[Image(btcapture4_withlmp.png, 700px)]][[BR]][[BR]] == Mockups == [[Image(sniff mock up.png, 700px)]]