So, I read almost the whole post and learned a lot from doing so. I got all the pieces (firmware, frontline for windows, frontline.c) together except the flashable bt dongle.
But before buying one so that I can experiment on my own I have some questions left:
Did someone sucessfully sniff a phone<->phone pairing (from let's say 2m distance)? my understanding is, that the pc<->phone paairing is sniffed by the dongle right next to the dongle used to pair (since the usb slots are close together on the pc). What impact has a small distance (<5m) on the accuracy of the sniffing?
How do I proceed after successfully cracking the link key? Are there known procedures to exploit the gathered information? Like storing the link key, spoofing the bt_addr and connecting as the second phone "in disguise"?
Somehow all I read so far stops after cracking the PIN/LK... but that is where it gets interesting. The LK is useless if i can't go further from there.
So before investing in a dongle (D-Link DBT-120 rev. C ...with the risk of getting the one with the non-ext firmware?!) it would be nice if someone could comment on the above.
My friend has a bluetooth dongle with
He was so kind to allow me playing around with it and now I got
hci0: Type: USB
BD Address: 00:09:DD:50:0A:6E ACL MTU: 384:8 SCO MTU: 64:8
Chip version: BlueCore4-External
Max key size: 56 bit
SCO mapping: HCI
hci0: Type: USB
BD Address: 00:09:DD:50:0A:6E ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:6 acl:0 sco:0 events:0 errors:0
TX bytes:0 acl:0 sco:0 commands:0 errors:0
I tested sniffing 2 mobile phones pairing. They were ~2m away from my desktop computer with the sniffing dongle and it worked like a charm. Captured the pairing, cracked the pin and the link key.
Now I wonder how I/the attacker can take advantage of this. I imagine one could spoof the bt_addr, change the class to 0x5a0204, store the cracked link key in /var/lib/bluetooth/<spoofed-address>/linkkeys and try to connect to the phone. Unfortunately I can only change the bt_addr of the sniffing stick (but that one is unusable because of the change firmware). I don't want to change the firmware back
Any comments on how to proceed with the findings of the sniffing-cracking-process?