Building your own Bluetooth sniffer

Contents
Bluetooth and frequency hopping
Building your own Bluetooth sniffer

Bluetooth and frequency hopping

Bluetooth operates in the license-free ISM band at 2.4 GHz. To avoid interfering with other protocols that use the 2.4 GHz band, the Bluetooth protocol uses a radio technology called Frequency-Hopping Spread Spectrum and divides the band into 79 channels (each 1 MHz wide) and changes channels up to 1600 times per second.




All Bluetooth devices participating in a given piconet are synchronized to the frequency-hopping channel for the piconet. The frequency hopping sequence is determined by the master's device address and the phase of the hopping sequence (the frequency to hop at a specific time) is determined by the master's internal clock. Therefore, all slaves in a piconet must know the master's device address and must synchronize their clocks with the master's clock.

During the connection handshake, the slave receives one packet (FHS, Frequency Hop Synchronization) that contains information about the master's BD_ADDR and the clock, so the slave's internal clock can be synchronized.

Any device not belonging to the piconet is unable to participate in the conversation by sending or listening to the data exchanged because does not have access to the frequency hopping sequence and monitoring concurrently the whole spectrum of 79 channels is impractical. Therefore, the frequency hopping technology strengthens the security on the Bluetooth protocol.


However ...

An attacker will be able to eavesdrop communications on a given piconet by obtaining the frequency hopping sequence used by the devices partipating in that piconet. In order to calculate this hopping sequence, the attacker must eavesdrop the connection handshake before the piconet is created and obtain the FHS packet so the device's clock can be synchronized with the master's clock. Once the attacker has succeeded in calculating the frequency hopping sequence he will be able to eavesdrop the entire conversation on the piconet.




In October 2002 FTE developed the world's first Bluetooth protocol analyzer, FTS4BT. For many years, it would be the only sniffer tool with the capacity for sniffing Bluetooth.

In 2007, Max Moser published the paper entitled Busting The Bluetooth® Myth – Getting RAW Access and explained a simple procedure to build a Bluetooth sniffer from a consumer Bluetooth dongle. Basically, he managed to flash a consumer dongle with the firmware used by a commercial sniffer.

Within the same year, Andrea Bittau and Dominic Spill published the paper entitled BlueSniff: Eve meets Alice and Bluetooth and proved that it is possible to determine the parameters necessary for calculating the hopping sequence and then find a way to eavesdrop Bluetooth. Subsequently, Andrea Bittau released BTSniff, a tool that can send commands to a hardware sniffer, get it into sniffing mode and synch it to the other devices in a piconet.

Building your own Bluetooth sniffer

I will follow the procedure to build your own cheap Bluetooth sniffer from a consumer Bluetooth dongle published by Max Moser. Here is the practical how-to, it is fully documented on the internet so this is a short and quick explanation.







There are specific requirements for the Bluetooth adaptor so it can be flashed into a Bluetooth sniffer:

  1. Cambridge Silicon Radio (CSR) chipset.



  2. BC4 External or Flash. ROM memory adaptors can't be used.



    The second dongle (BC4 EXT) will do, the first (BC2 EXT) not sure.

You need these tools:

You can obtain them via bluez-cvs, here is how to:

# sudo apt-get install libbluetooth2 libbluetooth2-dev libusb-0.1-4 libusb-dev
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez login
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez co utils
# cd utils/tools
# gcc -lusb -lbluetooth csr.c csr_3wire.c csr_bcsp.c csr_h4.c csr_hci.c csr_usb.c ubcsp.c bccmd.c -o bccmd
# gcc -lusb -lbluetooth csr.c dfutool.c -o dfutool
You will also need to download and install Frontline Test Equipment FTS4BT version <= 5.6.9.0, in order to obtain the airsnifferdev4*bc4.dfu firmware which you can use to upgrade the dongle.

The procedure is simple. First, you need to change the product id (should be 0x0002) and vendor id (should be 0x0a12), the FTS4BT tool requires that to recognize the Bluetooth adaptor.




Then, you need to backup the firmware of the dongle before flashing it with airsnifferdev4*bc4.dfu.





If you use airsnifferdev5*bc4.dfu you might brick your dongle and make it useless so it's important to find the correct version of FTS4BT (with airsnifferdev4*bc4.dfu).

After you have done those two operations successfully you can see the Bluetooth dongle is in RAW mode.



The RX and TX bytes should be rising.


You can also test it's working by executing frontline, the tool released by Andrea Bittau for sending commands to a hardware sniffer.



The timer should be increasing.


You got it!




You can follow these useful links to find more information:

© 2005 - 2011 Alberto Moreno Tablado