Bluetooth
Headset Attack Demo At SANS NS2007 Las Vegas
Link – Presentation (PDF – 500KB)
At the SANS NS2007 conference in Las Vegas last week I demonstrated a live attack against a Bluetooth headset. Worn by Ed Skoudis (thanks Ed!), I was able to inject audio into the headset and record everything the wearer said.
The screenshot above is a sample from the GNURadio usrp-oscope tool in the gr-utils package. In order to demodulate Bluetooth using the gr-bluetooth stack, it is necessary to identify the correct gain to use, where the Bluetooth signal appears similar to that shown in this image. Note the use of the letter āGā following 2.432 for center frequency.
BlueSniff (gr-bluetooth)
Paper (PDF – 156KB) – Source Code (TAR – 3.7MB)
For the past year I’ve been looking at the possibility of sniffing Bluetooth
using GNU Radio. Receiving and demodulating packets took most of the time and was made possible
using the CSR test modes (bccmd). The rest of the time, and most of the gr-bluetooth code, went into packet unwhitening (we don’t know the clock to unwhiten) and extracting the MAC address (also unknown).Andrea and I have written a paper detailing how it all works, and giving some suggestions of where to take it from here. The paper and code can be found at http://darkircop.org/bt/gnuradio/
Implementation of the Bluetooth stack for software defined radio, with a view to sniffing and injecting packets
Report (PDF – 441 KB)
The ability to receive and demodulate a stream of data from a Bluetooth connection is achieved, using the USRP to receive the signal, and the GNU Radio Gaussian Minimum Shift Keying (GMSK) demodulator to convert the complex signal to binary. The control and settings of these parts of the system are found through experimentation with signal processing.
The binary data is then converted to packets and data is extracted from them in order to gather information about the devices in the piconet so that the MAC address and value of the clock of the piconet can be obtained. Data from higher levels of the protocol stack can also be extracted from these packets, which could lead to possible attacks on a system.
And finally check out this old GNU Radio mailing list thread which discussed the possibilities of Bluetooth on GNU Radio back in 2006.
Important Books
Software Defined Radio: with GNU Radio and USRP (Hardcover)
Publisher: McGraw-Hill | Pages: 320 | January 2009 | ISBN 0071498834 | 1st edition | by Cory Clark
Amazon / McGraw-Hill Professional
Chapter 1. What is Software Defined Radio
Chapter 2. SDR Block Diagrams
Chapter 3. SDR Applications
Chapter 4. The GNU Radio Project
Chapter 5. Downloading and Installing the GNU Radio
Chapter 6. Using Hardware with GNU Radio
Chapter 7. Bandwidth and Sample Rate Considerations
Chapter 8. FPGAs
Chapter 9. Generic A/Ds
Chapter 10. The USRP Hardware Boards
Chapter 11. Getting Started with Simple Analog Signals
Chapter 12. GSM
Chapter 13. 802.xx
Chapter 14. OFDM
Chapter 15. Working Examples
Chapter 16. HD Radio
Chapter 17. Spectrum Analyser
Signal Processing Techniques for Software Radio (Softcover)
Publisher: Self-published Lulu | Pages: 380 | 2008 | by Behrouz Farhang-Boroujeny
Buy / Table of Content / Book’s CD
This book puts together a collection of signal processing algorithms, filter design methods, and signal processing techniques (tricks) to provide the practicing engineers with the tools necessary for efficient implementation of software defined radios. To demonstrate the implementation of various algorithms on a software radio platform and also to demonstrate their performance, MATLAB scripts (programs) are presented throughout the book.
You could also check out GNU Radio’s own list of Suggested Reading.
leave a comment