AOH :: ISN-2845.HTM

Blackhat 2006: 'Bluebag' detects Bluetooth devices within 200

Blackhat 2006: 'Bluebag' detects Bluetooth devices within 200
Blackhat 2006: 'Bluebag' detects Bluetooth devices within 200 

Humphrey Cheung
August 9, 2006 

Las Vegas (NV) - A pair of Italian hackers has created the lazy man's 
Bluetooth scanner by cramming eight Bluetooth dongles and a miniature 
computer into a rolling luggage case. While Bluetooth scanning has been 
around for a few years, the "BlueBag" case uses an extra omnidirectional 
antenna to prescan the area. The pair says the Bluebag can detect devices 
up to 200 meters (about 600 feet) away and can run for up to 10 hours 
without power.

Claudio Merloni and Luca Carettoni said they built the BlueBag because 
they wanted to raise awareness about Bluetooth vulnerabilties. The pair 
was dissatisfied with traditional Bluetooth scanning which required 
walking around with a laptop. "You can't walk around a shopping mall or an 
airport with a laptop," said Merloni during his talk at the Blackhat 
security conference in Las Vegas.

The hardware was assembled in about one day, but Merloni and Carettoni 
said the software and reliability testing took much longer. Inside the 
hard-shell case is a Via Mini-ITX motherboard, an 1.8" hard drive taken 
from an Ipod, and nine Bluetooth dongles. One of the dongles is connected 
to an omni-directional 5 db antenna.

The entire rig is autonomously powered with a 26 amp-hour lead-acid 
battery, which according to Merloni lasts up to 10 hours. The pair hacked 
together their own power converter/regulator and even converted the 
luggage key socket into the on/off switch. They can covertly insert and 
turn a key to turn the computer off and on.

Gentoo Linux version 2.6 with the BlueZ Bluetooth drivers was installed on 
the hard drive and custom Python scanning scripts were written. The 
Bluebag can be controlled wirelessly through a web browser from a PDA or 
full-sized laptop. While this is similar to other Bluetooth scanning 
projects, the BlueBag can gain more information about devices by 

The omni-directional antenna constantly scans the area and detects the 
presence of Bluetooth devices. This information is then offloaded to the 
other eight antennas that are now ready to gain more detailed information 
as the device gets into closer range.

Merloni said that the Bluebag could be modified to send keyloggers, 
sniffers and worms, but he hasn't actually tried it yet. He adds that the 
rig does have a "stupid test" which sees if people will accept an 
anonymous Bluetooth transfer. These transfer requests show up as dialog 
boxes on the victim's phone or device and Merloni is "amazed"  at how many 
people actually accept the transfers. Up to 70% of people accepted the 
anonymous transfers.

In initial tests, the Bluebag detected 1405 unique devices in less than 24 
hours of scanning in shopping malls, train stations and airports. They say 
93% of the detected devices were mobile phones and 3% were computers. PDAs 
and GPS devices came in at 2% and 1%, respectively.

One problem with the Bluebag is that it can knock out wireless networks 
when it's turned on. Bluetooth shares the same frequency band as many 
computer wireless networks and Merloni said, "It destroys all wireless 
networks in the area."

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods