Skip to content

Ubertooth – Open-Source Bluetooth Sniffing

by on September 1, 2013

ubertooth-one-052-1024

Background

A few years ago, some security minded people and academics started looking into BlueTooth (BT) sniffing.  Commercial solutions were expensive, and the community really needed something cheap/affordable. The names: Dominic Spill & Andrea Bittau, I think were the pioneers that discovered that some cheap $30(USD) BT dongles could be re-flashed to a firmware that supported BT sniffing, and they created the Open-Source program csrsniff (http://darkircop.org/bt/bt.tgz), that allowed you to monitor the BT stream between devices.

Several white-papers & walkthroughs exist on the Internet, below are a small selection:

There are several problems with these cheap devices:

  • They may no longer work for no apparent reason.
  • They are no longer readily available.
  • They are incompatible with several other BT implementations/devices.

Michael Ossmann and Dominic Spill (circa 2009), thought that the above mentioned solution was bad, and that the community needed something more appropriate. They then went about creating a truly Open-Source hardware and software solution for BT sniffing called the Ubertooth.  To this day the Ubertooth is still quite rare, slightly more expensive at approximately $110(USD), but still remarkably cheaper than the $2000+(USD) commercial counter parts.

I highly recommend reading/viewing:

For Ubertooth updates the blog can be found at: http://ubertooth.blogspot.co.uk

In this post we will cover using the Ubertooth to perform BT sniffing.

UPDATE: You may wish to update your Ubertooth to the 2014-02-R1 Firmware

Installing Ubertooth Components

Below we will use the repositories on Dominic Spill’s Github page, rather than the downloadable files which can be found at: http://ubertooth.sourceforge.net/usage/build/

The following github installation was done on a Gentoo Operating System, differences for Kali and Ubuntu can be found under Notes in the relevant sections.

libtbb

First download and install the bluetooth libraries:

git clone https://github.com/greatscottgadgets/libbtbb.git
cd libbtbb
make
sudo make install

Note if performing this on Ubuntu/Kali you need the following specific version:
libbtbb-2012-10-R3.tar.xz

Additionally, prior to compiling libbtbb, you need to ensure that pyusb and pyside-tools are installed on your system.

Ubertooth-tools

Next download and install the Ubertooth files:

git clone https://github.com/greatscottgadgets/ubertooth.git
cd ubertooth/host
make
sudo make install

Note if performing this on Ubuntu/Kali you need the following specific version:

ubertooth-2012-10-R1.tar.xz

Kismet

Follow these instructions, to compile the ubertooth plugin into kismet:

wget http://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz
tar xf kismet-2011-03-R2.tar.gz
cd kismet-2011-03-R2
ln -s ../ubertooth/host/kismet/plugin-ubertooth ./
./configure
make && make plugins
sudo make suidinstall
sudo make plugins-install

Then
Add pcapbtbb to the “logtypes=…” line in /etc/kismet.conf

Wireshark Plugin

First edit wireshark/plugins/btbb/packet-btbb.c, and add the following lines:

#include <wireshark/config.h>
#include <epan/epan.h>

Then build the modules as usual (paths may need editing depending on your distribution/OS):

cd libbtbb/wireshark/plugins/btbb
cmake -DCMAKE_INSTALL_LIBDIR=/lib/modules/wireshark/<version>/plugins .
make
sudo make install

Note if performing this on Ubuntu/Kali you may need to alter the cmake command:

cmake -DCMAKE_INSTALL_LIBDIR=/usr/lib/wireshark/libwireshark1/plugins .

Using Ubertooth

Command-line

ubertooth-lap

Use this program to test the Ubertooth, you should see a bunch of inquiry packets (0x9e8b33):

ubertooth-lap

If you have similar output to above, be assured that your device is working properly.

ubertooth-scan

This allows you to identify devices in hidden-mode/non-discoverable mode. You need an additional hciX interface, as the Ubertooth is not a fully fledged BT dongle – just a sniffer; Here the Ubertooth grabs LAP & UAP to form addresses, and hands off inquiry to a proper BT dongle.

BT_scan

ubertooth-follow

This allows you to follow the BT stream of a given device, so you dont miss any packets:

Unfortunately, I have not found any personal devices that appear to track.  I believe the disadvantage here is that the Ubertooth can not follow High-Speed devices.  Most of my personal Bluetooth devices are High-Speed and hence I am not capturing any data packets.

As soon as I can create a demo / working example I will repost here!

ubertooth-btle

Bluetooth Low Energy (BTLE) is a slightly different protocol, with thanks to the efforts of Mike Ryan and the existing Ubertooth Team we have some early development programs to help us sniff BTLE devices:

To put the Ubertooth into promiscuous mode use the ‘-p’ flag:

btle_promiscuous

Warning: You will see a lot of garbage, but eventually it should lock-on and automatically follow streams, you should then see data packets (packets that do not start 01 00).

An LE device to discoverable mode. You should see advertising packets that look something like this:

    systime=1349412883 freq=2402 addr=8e89bed6 delta_t=38.441 ms
    00 17 ab cd ef 01 22 00 02 01 06 03 02 0d 18 06 ff 6b 00 03 00 00 02
    0a 00 c2 87 64

To explicitly follow a given BTLE address use the command (where 01234567 is an address):

 ubertooth-btle -a01234567

Additional links & downloads

Kismet

Simply run (you may need sudo, depending on your kismet installation):

kismet -c ubertooth

kismet

As you can see from the picture above, some devices are just revealing their LAP (Lower Address Part) while other devise have had enough packets captured to additionally display their UAP (Upper Address Part).  Check the pcapbtbb logfile for potential data.  Additionally, you do not really need the first two bytes to interrogate devices; so with the UAP & LAP you can use other tools such as sdptool and rfcomm to talk to devices.

Wireshark

Simply open Kismet’s *.pcapbtbb file, and Wireshark should correctly decode your BT packets (provided the module is installed in the right plugin directory (usually /lib/modules/wireshark/plugins/<version>/))

wireshark-ubert

Where Can I Purchase an Ubertooth?

About these ads
6 Comments
  1. Dominic Spill permalink

    A great guide, it has been useful to many people getting started with the project, thanks for writing it.

    Unfortunately the URLs are now out of date, I’ve now moved the GitHub repositories to an organisational user. They are now available at:

    https://github.com/greatscottgadgets/libbtbb.git

    https://github.com/greatscottgadgets/ubertoooth.git

Trackbacks & Pingbacks

  1. codescaling | DIY Secure Boot, ArkOS, Android and Ubertooth – Snippets
  2. Bluetooth Sniffing – Why bother? | Pentura Labs's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 136 other followers

%d bloggers like this: