News

Red Fang "Bluetooth hack" not much use" - TDK

by Guy Kewney | posted on 10 September 2003


Did you get excited about the "Red Fang proof of concept hack" which was announced by Atstake? It was supposed to allow you "to find non discoverable bluetooth devices." It can! - yes, it can ... the only trouble, says TDK's Nick Hunn, is that it might take you two years! Buy a big battery ...

Guy Kewney

The hack, put together as the beginning of a possible software tool, was devised by Atstake's Ollie Whitehouse. He says: "It is done by brute forcing the last six bytes of the Bluetooth address of the device and doing a read_remote_name()."

The rivalry between Bluetooth and WiFi, both of which use the same 2.4GHz radio spectrum, led several in the WiFi camp to crow that "Bluetooth isn't all that secure, after all!" - and understandable of them. WiFi has been the subject of a lot of public security scares.

But when we asked Whitehouse whether this was in any way serious, he didn't reply.

So we contacted TDK to see what they thought. It seemed appropriate, since Whitehouse set his hack "to reduce the address space" so that it would only scan the TDK manufacturer assigned space - any TDK Bluetooth device would be vulnerable, but no other.

Well, "vulnerable" is maybe exaggerating. What this hack does, is to transmit a packet with an address. If there is a device with this address, then it will respond - and then, as TDK says, you know that a device with that address is in the room. And then?

Nick Hunn, managing director of TDK, says that if this were a useful hack, he'd have been able to sell it, because he's had one for some time. "What he's doing is valid, but he omitted to mention a number of fairly significant buts," said Hunn.

"It is possible to launch an attack by trying to address a Bluetooth device using every known address and seeing if there is a response. All that you will get is a response, but you can then use that to see what address you were probing and from that you know its address."

<1/> TDK's Nick Hunn

But you can't do much more than that - it doesn't allow you any further into the Bluetooth device. "It would permit you to track the device if you had enough scanners around," admits Hunn, "but there's a small problem. That's the time taken."

Even if you confined yourself to a specific range of Bluetooth addresses associated with one manufacturer, the time you'd need to scan all addresses for just that one manufacturer is around 11 hours. "If you opened that up to the range of assigned manufacturer addresses it shoots up to over 2 years."

Hunn points out: "By that time the devices would either have moved out of range or the batteries would have gone flat."

The new version of the standard, currently being rolled out, is v 1.2 - this acknowledges this loophole and has a new anonymity mode which would thwart it.

"Incidentally we've had a windows application which does a similar job of sniffing out Bluetooth units available free for the last year or so. Perhaps we need to call ourselves "concerned security consultants" to get the corresponding level of coverage," remarked Hunn, adding: "There's nothing like vested interest to push a story."

The official link is at @stake.

See also: this link.

See also here for more.


You can discuss this article on our discussion board.