Ubertooth – Open-Source Bluetooth Sniffing



A few years ago, some security minded people and academics started looking into BlueTooth (BT) sniffing.  Commercial solutions were expensive, and the community really needed something cheap/affordable. The names: Dominic Spill & Andrea Bittau, I think were the pioneers that discovered that some cheap $30(USD) BT dongles could be re-flashed to a firmware that supported BT sniffing, and they created the Open-Source program csrsniff (http://darkircop.org/bt/bt.tgz), that allowed you to monitor the BT stream between devices.

Several white-papers & walkthroughs exist on the Internet, below are a small selection:

  • http://remote-exploit.org/research/busting_bluetooth_myth.pdf
  • http://bluetooth-pentest.narod.ru/doc/bluetooth_sniffing_for_less.txt

There are several problems with these cheap devices:

  • They may no longer work for no apparent reason.
  • They are no longer readily available.
  • They are incompatible with several other BT implementations/devices.

Michael Ossmann and Dominic Spill (circa 2009), thought that the above mentioned solution was bad, and that the community needed something more appropriate. They then went about creating a truly Open-Source hardware and software solution for BT sniffing called the Ubertooth.  To this day the Ubertooth is still quite rare, slightly more expensive at approximately $110(USD), but still remarkably cheaper than the $2000+(USD) commercial counter parts.

I highly recommend reading/viewing:

For Ubertooth updates the blog can be found at: http://ubertooth.blogspot.co.uk

In this post we will cover using the Ubertooth to perform BT sniffing.

UPDATE: You may wish to update your Ubertooth to the 2014-02-R1 Firmware

Installing Ubertooth Components

Below we will use the repositories on Dominic Spill’s Github page, rather than the downloadable files which can be found at: http://ubertooth.sourceforge.net/usage/build/

The following github installation was done on a Gentoo Operating System, differences for Kali and Ubuntu can be found under Notes in the relevant sections.


First download and install the bluetooth libraries:

git clone https://github.com/greatscottgadgets/libbtbb.git
cd libbtbb
sudo make install

Note if performing this on Ubuntu/Kali you need the following specific version:

Additionally, prior to compiling libbtbb, you need to ensure that pyusb and pyside-tools are installed on your system.


Next download and install the Ubertooth files:

git clone https://github.com/greatscottgadgets/ubertooth.git
cd ubertooth/host
sudo make install

Note if performing this on Ubuntu/Kali you need the following specific version:



Follow these instructions, to compile the ubertooth plugin into kismet:

wget http://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz
tar xf kismet-2011-03-R2.tar.gz
cd kismet-2011-03-R2
ln -s ../ubertooth/host/kismet/plugin-ubertooth ./
make && make plugins
sudo make suidinstall
sudo make plugins-install

Add pcapbtbb to the “logtypes=…” line in /etc/kismet.conf

Wireshark Plugin

First edit wireshark/plugins/btbb/packet-btbb.c, and add the following lines:

#include <wireshark/config.h>
#include <epan/epan.h>

Then build the modules as usual (paths may need editing depending on your distribution/OS):

cd libbtbb/wireshark/plugins/btbb
cmake -DCMAKE_INSTALL_LIBDIR=/lib/modules/wireshark/<version>/plugins .
sudo make install

Note if performing this on Ubuntu/Kali you may need to alter the cmake command:

cmake -DCMAKE_INSTALL_LIBDIR=/usr/lib/wireshark/libwireshark1/plugins .

Using Ubertooth



Use this program to test the Ubertooth, you should see a bunch of inquiry packets (0x9e8b33):


If you have similar output to above, be assured that your device is working properly.


This allows you to identify devices in hidden-mode/non-discoverable mode. You need an additional hciXinterface, as the Ubertooth is not a fully fledged BT dongle – just a sniffer; Here the Ubertooth grabs LAP & UAP to form addresses, and hands off inquiry to a proper BT dongle.



This allows you to follow the BT stream of a given device, so you dont miss any packets:

Unfortunately, I have not found any personal devices that appear to track.  I believe the disadvantage here is that the Ubertooth can not follow High-Speed devices.  Most of my personal Bluetooth devices are High-Speed and hence I am not capturing any data packets.

As soon as I can create a demo / working example I will repost here!


Bluetooth Low Energy (BTLE) is a slightly different protocol, with thanks to the efforts of Mike Ryan and the existing Ubertooth Team we have some early development programs to help us sniff BTLE devices:

To put the Ubertooth into promiscuous mode use the ‘-p’ flag:


Warning: You will see a lot of garbage, but eventually it should lock-on and automatically follow streams, you should then see data packets (packets that do not start 01 00).

An LE device to discoverable mode. You should see advertising packets that look something like this:    systime=1349412883 freq=2402 addr=8e89bed6 delta_t=38.441 ms    00 17 ab cd ef 01 22 00 02 01 06 03 02 0d 18 06 ff 6b 00 03 00 00 02    0a 00 c2 87 64

To explicitly follow a given BTLE address use the command (where 01234567 is an address):

 ubertooth-btle -a01234567

Additional links & downloads


Simply run (you may need sudo, depending on your kismet installation):

kismet -c ubertooth

As you can see from the picture above, some devices are just revealing their LAP (Lower Address Part) while other devise have had enough packets captured to additionally display their UAP (Upper Address Part).  Check the pcapbtbb logfile for potential data.  Additionally, you do not really need the first two bytes to interrogate devices; so with the UAP & LAP you can use other tools such as sdptool and rfcommto talk to devices.


Simply open Kismet’s *.pcapbtbb file, and Wireshark should correctly decode your BT packets (provided the module is installed in the right plugin directory (usually /lib/modules/wireshark/plugins/<version>/))


Where Can I Purchase an Ubertooth?