Ubertooth – Open-Source Bluetooth Sniffing
A few years ago, some security minded people and academics started looking into BlueTooth (BT) sniffing. Commercial solutions were expensive, and the community really needed something cheap/affordable. The names: Dominic Spill & Andrea Bittau, I think were the pioneers that discovered that some cheap $30(USD) BT dongles could be re-flashed to a firmware that supported BT sniffing, and they created the Open-Source program csrsniff (http://darkircop.org/bt/bt.tgz), that allowed you to monitor the BT stream between devices.
Several white-papers & walkthroughs exist on the Internet, below are a small selection:
- http://remote-exploit.org/research/busting_bluetooth_myth.pdf
- http://bluetooth-pentest.narod.ru/doc/bluetooth_sniffing_for_less.txt
There are several problems with these cheap devices:
- They may no longer work for no apparent reason.
- They are no longer readily available.
- They are incompatible with several other BT implementations/devices.
Michael Ossmann and Dominic Spill (circa 2009), thought that the above mentioned solution was bad, and that the community needed something more appropriate. They then went about creating a truly Open-Source hardware and software solution for BT sniffing called the Ubertooth. To this day the Ubertooth is still quite rare, slightly more expensive at approximately $110(USD), but still remarkably cheaper than the $2000+(USD) commercial counter parts.
I highly recommend reading/viewing:
- Project Ubertooth: Building a Better Bluetooth Adapter
- http://www.youtube.com/watch?v=HU5qi7wimAM
- https://dominicspill.com/kiwicon/Spill-Ubertooth-Kiwicon-2012.pdf
For Ubertooth updates the blog can be found at: http://ubertooth.blogspot.co.uk
In this post we will cover using the Ubertooth to perform BT sniffing.
UPDATE: You may wish to update your Ubertooth to the 2014-02-R1 Firmware
Installing Ubertooth Components
Below we will use the repositories on Dominic Spill’s Github page, rather than the downloadable files which can be found at: http://ubertooth.sourceforge.net/usage/build/
The following github installation was done on a Gentoo Operating System, differences for Kali and Ubuntu can be found under Notes in the relevant sections.
libtbb
First download and install the bluetooth libraries:
git clone https://github.com/greatscottgadgets/libbtbb.git cd libbtbb make sudo make install
Note if performing this on Ubuntu/Kali you need the following specific version:
libbtbb-2012-10-R3.tar.xz
Additionally, prior to compiling libbtbb, you need to ensure that pyusb and pyside-tools are installed on your system.
Ubertooth-tools
Next download and install the Ubertooth files:
git clone https://github.com/greatscottgadgets/ubertooth.git cd ubertooth/host make sudo make install
Note if performing this on Ubuntu/Kali you need the following specific version:
ubertooth-2012-10-R1.tar.xz
Kismet
Follow these instructions, to compile the ubertooth plugin into kismet:
wget http://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz tar xf kismet-2011-03-R2.tar.gz cd kismet-2011-03-R2 ln -s ../ubertooth/host/kismet/plugin-ubertooth ./ ./configure make && make plugins sudo make suidinstall sudo make plugins-install
Then
Add pcapbtbb to the “logtypes=…” line in /etc/kismet.conf
Wireshark Plugin
First edit wireshark/plugins/btbb/packet-btbb.c, and add the following lines:
#include <wireshark/config.h> #include <epan/epan.h>
Then build the modules as usual (paths may need editing depending on your distribution/OS):
cd libbtbb/wireshark/plugins/btbb cmake -DCMAKE_INSTALL_LIBDIR=/lib/modules/wireshark/<version>/plugins . make sudo make install
Note if performing this on Ubuntu/Kali you may need to alter the cmake command:
cmake -DCMAKE_INSTALL_LIBDIR=/usr/lib/wireshark/libwireshark1/plugins .
Using Ubertooth
Command-line
ubertooth-lap
Use this program to test the Ubertooth, you should see a bunch of inquiry packets (0x9e8b33):
If you have similar output to above, be assured that your device is working properly.
ubertooth-scan
This allows you to identify devices in hidden-mode/non-discoverable mode. You need an additional hciXinterface, as the Ubertooth is not a fully fledged BT dongle – just a sniffer; Here the Ubertooth grabs LAP & UAP to form addresses, and hands off inquiry to a proper BT dongle.
ubertooth-follow
This allows you to follow the BT stream of a given device, so you dont miss any packets:
Unfortunately, I have not found any personal devices that appear to track. I believe the disadvantage here is that the Ubertooth can not follow High-Speed devices. Most of my personal Bluetooth devices are High-Speed and hence I am not capturing any data packets.
As soon as I can create a demo / working example I will repost here!
ubertooth-btle
Bluetooth Low Energy (BTLE) is a slightly different protocol, with thanks to the efforts of Mike Ryan and the existing Ubertooth Team we have some early development programs to help us sniff BTLE devices:
To put the Ubertooth into promiscuous mode use the ‘-p’ flag:
Warning: You will see a lot of garbage, but eventually it should lock-on and automatically follow streams, you should then see data packets (packets that do not start 01 00).
An LE device to discoverable mode. You should see advertising packets that look something like this: systime=1349412883 freq=2402 addr=8e89bed6 delta_t=38.441 ms 00 17 ab cd ef 01 22 00 02 01 06 03 02 0d 18 06 ff 6b 00 03 00 00 02 0a 00 c2 87 64
To explicitly follow a given BTLE address use the command (where 01234567 is an address):
ubertooth-btle -a01234567
Additional links & downloads
- http://lacklustre.net/bluetooth/bluetooth_smart_good_bad_ugly_fix-mikeryan-blackhat_2013.pdf
- http://lacklustre.net/projects/crackle/
Kismet
Simply run (you may need sudo, depending on your kismet installation):
kismet -c ubertooth
As you can see from the picture above, some devices are just revealing their LAP (Lower Address Part) while other devise have had enough packets captured to additionally display their UAP (Upper Address Part). Check the pcapbtbb logfile for potential data. Additionally, you do not really need the first two bytes to interrogate devices; so with the UAP & LAP you can use other tools such as sdptool and rfcommto talk to devices.
Wireshark
Simply open Kismet’s *.pcapbtbb file, and Wireshark should correctly decode your BT packets (provided the module is installed in the right plugin directory (usually /lib/modules/wireshark/plugins/<version>/))
