Bluecasing: War Nibbling, Bluetooth and
Petty Theft 
Bluecasing* is the act of finding
devices to intrude or steal via Bluetooth (general scanning is sometimes know as
War Nibbling). For those who do not know, Bluetooth
is a wireless networking technology that is geared more towards PANs (Personal
Area Networks), while Wi-Fi (802.11a/b/g etc) is geared more towards LANs. An
over simplified way to look at it is that Bluetooth is meant to be a wireless
replacement for some of the functions USB fulfills, and Wi-Fi is more of a wireless
replacement for Ethernet. Many high-end phones, laptops, PDAs, car stereos and
other electronics are being shipped with Bluetooth capability so they can
communicate, either by sending audio or digital data to each other. For
example, your PDA tells your phone to dial a number and send the output to your
headset or car stereo. For more details on Bluetooth technology and its uses read the
following Wikipedia entry:
http://en.wikipedia.org/wiki/Bluetooth
You could see Bluecasing as being sort of like Wardriving, except
you are looking for Bluetooth devices instead of 802.11a/b/g/n access points. For
an example of thieves using Bluetooth signals to locate things to steal, read:
http://www.cambridge-news.co.uk/news/region_wide/2005/
08/17/06967453-8002-45f8-b520-66b9bed6f29f.lpf
This article is not intended to help
people learn to steal expensive toys, but to cover the basics of how Bluetooth
devices find one another. Bluecasing/War Nibbling does not
have to be for larceny. Someone could merely be curious what devices are
out there or they may be planning to test for known exploits to retrieve personal
information from the devices (Bluesnarfing). For more in depth technical information read Ollie
Whitehouse's article "War Nibbling: Bluetooth Insecurity" linked at the bottom
of this article. What follows is a brief synopsis of how Bluecasing is done, what
tools are used and what things can be done to make it harder for thieves to find
Bluetooth Devices.
Most Bluetooth stacks for Windows (Microsoft's, Widcomm) and Linux
(Bluez) will support some
kind of discovery. Here are a few of the user interfaces you might be familiar
with when searching for Bluetooth devices:
Windows:
Windows (Using Widcomm Stack):
Linux (KDE GUI):
Linux Command Line:
| root@slax:~# hciconfig hci0 up root@slax:~# hciconfig hci0: Type: USB BD Address: 00:0A:3A:52:69:8C ACL MTU: 192:8 SCO MTU: 64:8 UP RUNNING PSCAN ISCAN RX bytes:148 acl:0 sco:0 events:17 errors:0 TX bytes:65 acl:0 sco:0 commands:17 errors:0 root@slax:~# root@slax:~# hcitool scan Scanning ... 00:02:72:CA:14:6D TestTop root@slax:~# |
Pocket PC:
For the built-in discovery methods to work "allow discovery" must be enabled.
Windows XP and Vista with the default Microsoft Bluetooth stack have discovery
turned off by default. Other operating systems and Bluetooth stacks will vary. A
lot of cell phones I've run into seem to have discovery on by default, making
them easier to connect to your PAN but also easier to locate. Most devices allow
you to turn off discovery if you wish.
There are also purpose-made tools like BlueScanner or BTScanner for Linux (command line) or Windows XP (GUI). These tools are nice because of the quick access they give you to information such as device type and available services. The MS Windows ones I have tested require you to use Microsoft's Bluetooth stack (NOT Widcomm). All of the Linux tools I've seen need the BlueZ stack. Below are a few screen shots from these software packages.
BTScanner for Linux:
BlueScanner For Windows:
As you have probably guessed, if you don't want your device to be found you will choose to disable "allow discovery", but in versions of Bluetooth before 1.2 (which introduced "anonymity mode" ) it was possible to find cloaked devices by trying to connect to them via their BADDR (a 48 bit which functions more or less like a MAC address does). Ollie Whitehouse wrote a tool called RedFang that will brute-force possible BADDRs and try to connect to them, thus finding them even if they don't reply to a discovery probe. Since then tools like BTScanner for Linux have implemented the same technique (use the b key instead of the i key to start your scan), though I don't think many thieves Bluecasing would use this technique because of the amount of time it takes to iterate through the possible address space. Then again, with multiple dongles and multithreading, the discovery speed could be massively increased. It took a couple of tweaks to get BTScanner to compile on my Linux box so you may just want to use the BackTrack Boot CD. To my knowledge no Windows tools exist that can brute-force the BADDRs, but you can run the BackTrack CD in VMWare Player and use a USB dongle. While BTScanner for Linux is not as pretty as its Windows counterpart it has worked more reliably for me.
Choosing a device
If your laptop already comes with Bluetooth
you will probably just want to use what you have, but if not you need to choose a good
Bluetooth dongle to test Bluecasing with. Bluetooth comes in three power classes:
| Class | Power | Power | Range (approximate) |
| Class 1 | 100 mW | 20 dBm | 100 meters |
| Class 2 | 2.5 mW | 4 dBm | 10 meters |
| Class 3 | 1 mW | 0 dBm | 1 meter |
Obviously, we want to select a device with as much oomph as we can get. I use a
MSI Star Key 2.0 USB Bluetooth 2.0 Transceiver because it's power class 1,
support Bluetooth 2.0, gives you access to the Widcomm Bluetooth stack if you
need it and it runs great under Linux with the BlueZ stack. You may also want to
Google
around for directions on making directional antennas you can solder on to your
Bluetooth dongle, thus increasing it's range.
Keep in mind that just because someone can find a device does not mean they can exploit it, bonding pins and other security features will most likely keep data intruders at bay (if implemented correctly). However, some phones are susceptible to Bluesnarfing attacks (see the video in the links section) and social engineering via Bluejacking.
Special thanks go out to Nick84 at
Rootsecure.net for providing some of the pictures in this article.
Tools and Links
Ollie Whitehouse's article "War Nibbling: Bluetooth Insecurity" kindly
mirrored by RootSecure.net
http://www.rootsecure.net/content/downloads/pdf/atstake_war_nibbling.pdf
Intro To Bluesnarfing By Williamc and Twinvega
http://www.irongeek.com/i.php?page=videos/bluesnarf1
BlueScanner
http://www.bluescanner.org/
BTScanner for Linux (command line) or Windows XP (GUI)
http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=downloads
Trifinite, the best site out there for Bluetooth security information
http://trifinite.org/
BlueZ – The official Bluetooth stack for Linux
http://www.bluez.org/
MSI Star Key 2.0 USB Bluetooth 2.0 Transceiver on New Egg
http://www.newegg.com/Product/Product.asp?Item=N82E16833158122
RedFang
http://www.securiteam.com/tools/5JP0I1FAAE.html
BackTrack Boot CD
http://www.remote-exploit.org/index.php/Main_Page
*Bluecasing is a concatenation of Blue (as in Blootooth) and Casing (as in
"Casing the joint"). Yes, it's a term I just made up, but it sure does sound
good does it not?