GNU Radio Stuff

Bluetooth

Posted in Applications by gnuradio on November 1, 2008

blue

Headset Attack Demo At SANS NS2007 Las Vegas

LinkPresentation (PDF – 500KB)

At the SANS NS2007 conference in Las Vegas last week I demonstrated a live attack against a Bluetooth headset. Worn by Ed Skoudis (thanks Ed!), I was able to inject audio into the headset and record everything the wearer said.

The screenshot above is a sample from the GNURadio usrp-oscope tool in the gr-utils package. In order to demodulate Bluetooth using the gr-bluetooth stack, it is necessary to identify the correct gain to use, where the Bluetooth signal appears similar to that shown in this image. Note the use of the letter ā€œGā€ following 2.432 for center frequency.

-source



BlueSniff (gr-bluetooth)

Paper (PDF – 156KB) – Source Code (TAR – 3.7MB)

For the past year I’ve been looking at the possibility of sniffing Bluetooth
using GNU Radio. Receiving and demodulating packets took most of the time and was made possible
using the CSR test modes (bccmd). The rest of the time, and most of the gr-bluetooth code, went into packet unwhitening (we don’t know the clock to unwhiten) and extracting the MAC address (also unknown).

Andrea and I have written a paper detailing how it all works, and giving some suggestions of where to take it from here. The paper and code can be found at http://darkircop.org/bt/gnuradio/

-source


Implementation of the Bluetooth stack for software defined radio, with a view to sniffing and injecting packets

Report (PDF – 441 KB)

The ability to receive and demodulate a stream of data from a Bluetooth connection is achieved, using the USRP to receive the signal, and the GNU Radio Gaussian Minimum Shift Keying (GMSK) demodulator to convert the complex signal to binary. The control and settings of these parts of the system are found through experimentation with signal processing.
The binary data is then converted to packets and data is extracted from them in order to gather information about the devices in the piconet so that the MAC address and value of the clock of the piconet can be obtained. Data from higher levels of the protocol stack can also be extracted from these packets, which could lead to possible attacks on a system.



And finally check out this old GNU Radio mailing list thread which discussed the possibilities of Bluetooth on GNU Radio back in 2006.

leave a comment

Leave a Reply