Be afraid. It’s easier for your phone to get owned than you think. I’m listening to some Shmoo gurus on Bluetooth discovery.
Finding a device
- send out inquiry, who’s out there?
- devices report back in, “Hey, I’m here”
- you can set your device to be undiscoverable
- you need to find a specifi MAC address to send a connection request to
- it’s good for security but a pain in the butt for usability
Bluetooth is spread out throught the spectrum. To find a device, you have to hop around the spectrum sending out requests and waiting for responses.
Pairing
- first steps of bluetooth security. It only happens once.
- Shared secret (PIN) on both sides
- PIN search space pretty small (4 digits), manufacturer defaults are usually pretty insecure (0000).
- If you can intercept pairing transaction, you’re golden. You can then brute force crack a small set of keys, one of which will work.
- You can do authentication on a little bit or a lot of your communication. It’s pretty flexible.
- Why is security always optional?
Defaults
- Manufacturer defaults are stupid and insecure
Profiles
- Good for interop
- For a specific device, talk like this.
- Anyone can create a bluetooth profile. Differences between Hands free and headset profile kill interop.
Embedded Devices
- if you use too many resources on an embedded device, it’ll bork out and you’ll have to reboot (aka 3650)
- It’s great for tracking, and that could be good or bad, depending on how you look at it.
- Tracking executives. All the VP’s head into a conference room at a weird time, who’s cheating on whom in the office, etc
Finding Undiscoverable Devices