Bluetooth Monitoring

Summary

Excerpt From Bluetooth Vulnerabilities (Part 1) Webinar
Learn About Bluetooth Monitoring with CTO Dr. Brett Walkenhorst
Bluetooth sniffers allow Bluetooth traffic to be passively and actively monitored, delivering insights into the capabilities, information, and transmission of potentially sensitive data regarding the device. The technical components of sniffing, such as Bluetooth device hopping patterns and encryption method variations, are explained by CTO Dr. Brett Walkenhorst. To find out more about how these sniffing capabilities impact Bluetooth network security and privacy, watch this brief video.

Video Transcript

The idea here is that there's sniffers that are out there, Bluetooth sniffers that are available. Like the dongle that you see at the right, this is Nordic semiconductor device, NRF, chip that, that you just plug in to USB on a host and you could control it. It's got embedded antennas on it.

So you can use this to sniff, Bluetooth flow energy packets. There's lots of different options for doing this. For Bluetooth low energy. There's fewer for Bluetooth classic. I think perhaps because BLE has had so much attention in recent years. Don't know whether that will change, but lots of options available for doing this sniffing.

You can do it passively where you're just listening to what's being sent, or you can do it actively where you're requesting additional information. So this commonly happens in advertising packets where maybe maybe you hear something that sounds kind of interesting. This might be something I want to attack.

I'm gonna send out a stand request and it's gonna send a response that has some more information that might be useful to me. I can listen to advertising packets like I just mentioned. This contains device information capabilities. And in some cases, it might contain data. So, devices have there there's a mode available where broadcast packets can utilize the advertising structure and those three dedicated advertising channels to to send data itself.

But maybe I want it to listen to connected devices. Those might be sharing sensitive data and I've already talked about how I can break encryption. So maybe I can sniff that if I can break the key, I can get whatever information I want. And then of course there's other things that are possible I break the encryption, I can I can inject information, but just focusing on the monitoring, the problem comes there in the fact that these devices are hopping around in frequency?

Right? So how do I do that? Well, I can listen to the connection itself when when these devices are connecting, I can listen and capture all the relevant information that I need in order to follow those devices across their hopping pattern. And there's different fields that you'd need to know depending on the algorithm that's used and the algorithms vary one one as you see at the top the right slide, the right side of the slide is a fixed hopping increment with, module thirty seven that just runs through the different channels And then, below that's a histogram to show you that it's pretty, you know, pretty even distribution across all the channels.

That's to be expected. It's just hopping with a fixed increment. There's another algorithm that uses a more random approach to hopping, and that's gonna be a little more difficult to interpret Again, if you've got all those fields, then you know exactly where they're headed next.