Bluetooth traffic analysis is hard. Whilst most 802.11 chips support promiscuous mode, Bluetooth dongles cannot monitor all traffic due to a pseudo-random frequency hopping system. Previous attempts have recovered a small number of channels using software radio techniques but have required expensive equipment.
We will review the options available today for passive Bluetooth monitoring with an emphasis on software radio techniques. Although single channel monitoring with software radio has been demonstrated before, we will show how to extend the technique to all 79 channels and how to predict the target network's pseudo-random hopping sequence using passively collected information. We will also discuss the options available when a high end software radio device cannot be used and will show what we are currently able to achieve with off the shelf hardware for under $10. The presentation will feature live demonstrations of the current status of the gr-bluetooth project and a new release of the open source tools.
<strong>Dominic Spill</strong> is a grad student at Imperial College London. Having worked with GNU Radio and Bluetooth security for his undergraduate degree, he released his work to the community in 2007 and continues to actively participate in the gr-bluetooth project. His current research focus is reconfigurable hardware solutions for SDR applications.
<strong>Michael Ossmann</strong> is a wireless security researcher for the Institute for Telecommunication Sciences at the U.S. Department of Commerce Boulder Laboratories in Colorado. He currently develops software radio tools for security research both as a hobby and for his day job.
<strong>Mark Steward</strong> began investigating Bluetooth sniffing for his masters project at University College London, and has spent the last year as a sysadmin for the Royal Academy of Dramatic Art. He speaks four dead languages, including assembler.