It all works
It is a dLink BT120 C1 flashed with 47bc4.dfu I am waiting on my second dongle to arrive so that I can start scanning. My intentions is to pass on what I learn from all this so I am inclined on writing a step by step tutorial for all this. From what I read here there is not much to do since blutooth technology has evolved and no longer vulnerable "Yeah right!"
just like every OS and software out there. I do not believe that is no longer vulnerable its just that none have been found yet or published but this is what its all about right! finding the vulnerabilities and properly documenting them so that we can protect ourselves and our customers, companies etc.... So I want to test test test and post my findings those who wish to do the same are welcome to post.
So, I read almost the whole post and learned a lot from doing so. I got all the pieces (firmware, frontline for windows, frontline.c) together except the flashable bt dongle.
But before buying one so that I can experiment on my own I have some questions left:
Did someone sucessfully sniff a phone<->phone pairing (from let's say 2m distance)? my understanding is, that the pc<->phone paairing is sniffed by the dongle right next to the dongle used to pair (since the usb slots are close together on the pc). What impact has a small distance (<5m) on the accuracy of the sniffing?
How do I proceed after successfully cracking the link key? Are there known procedures to exploit the gathered information? Like storing the link key, spoofing the bt_addr and connecting as the second phone "in disguise"?
Somehow all I read so far stops after cracking the PIN/LK... but that is where it gets interesting. The LK is useless if i can't go further from there.
So before investing in a dongle (D-Link DBT-120 rev. C ...with the risk of getting the one with the non-ext firmware?!) it would be nice if someone could comment on the above.
Cheers
EDIT:
My friend has a bluetooth dongle with
He was so kind to allow me playing around with it and now I gotCode:hci0: Type: USB BD Address: 00:09:DD:50:0A:6E ACL MTU: 384:8 SCO MTU: 64:8 HCI 19.2 Chip version: BlueCore4-External Max key size: 56 bit SCO mapping: HCI
Code:hci0: Type: USB BD Address: 00:09:DD:50:0A:6E ACL MTU: 0:0 SCO MTU: 0:0 UP RUNNING RAW RX bytes:6 acl:0 sco:0 events:0 errors:0 TX bytes:0 acl:0 sco:0 commands:0 errors:0
I tested sniffing 2 mobile phones pairing. They were ~2m away from my desktop computer with the sniffing dongle and it worked like a charm. Captured the pairing, cracked the pin and the link key.
Now I wonder how I/the attacker can take advantage of this. I imagine one could spoof the bt_addr, change the class to 0x5a0204, store the cracked link key in /var/lib/bluetooth/<spoofed-address>/linkkeys and try to connect to the phone. Unfortunately I can only change the bt_addr of the sniffing stick (but that one is unusable because of the change firmware). I don't want to change the firmware back
Any comments on how to proceed with the findings of the sniffing-cracking-process?
Originally Posted by rudolf
