Less Radiation

Ubertooth – Bluetooth sniffing for under £100.

A Youtube presentation by the developer, Michael Ossmann.

Until now, sniffing and injecting packets into Bluetooth communication hasn’t been possible for the man in the street. Commercial Bluetooth packet sniffers cost $10,000 and were typically only bought by large companies for troubleshooting their own products. The firmware in a standard Bluetooth dongle doesn’t allow you to grab hold of the radio, in the way you can with a WiFi card.

The Ubertooth USB dongle will change this for under £100.

The Ubertooth device grabs a chunk of 2.4GHz spectrum and your PC processes it. Makes passive detection of Bluetooth devices possible without shelling out £1000 for a USRP. It will be possible to predict Bluetooth hopping pattern. It will also be possible to do man-in-the-middle attacks using two Ubertooths. The hardware is capable of both these things, but the software hasn’t been written yet. Be patient.

UK Buyers can pre-order from RFIDIOt.org.
US buyers can pre-order from HakShop

Ubertooth running a 2.4GHz Spectrum Analyser.

I just tested my own Ubertooth on Friday night. I’m running a standard PC with Ubuntu 10.10 installed. If you follow the guide by HarvestGardener (link below) you’ll have your Ubertooth tested in around 15 minutes:

www.backtrack-linux.org/forums/backtrack-5-how-tos/41552-installing-ubertooth-one-bt5.html

There is one typo in the guide mentioned above, line that reads:
tar xvf libbtb.0.5.tgz
should actually read:
tar xvf libbtbb.0.5.tgz

Useful links:
https://lists.sourceforge.net/lists/listinfo/ubertooth-general
http://ossmann.blogspot.com/
http://ubertooth.sourceforge.net/

Ubertooth, Funcube Dongle Pro and Sparkfun IOIO for Android.

Three brand new innovative products, all coming out around the same time. All in limited supply, and all completely brilliant!

Ubertooth – Bluetooth sniffing for under £100.

Until now sniffing and injecting packets into Bluetooth communication hasn’t been possible for the man in the street.

The Ubertooth USB dongle will change this for under £100.

The USB adapter just grabs a chunk of 2.4GHz spectrum and your PC processes it. Makes passive detection of Bluetooth devices possible without shelling out £1000 for a USRP. It will be possible to predict Bluetooth hopping pattern. It will also be possible to do man-in-the-middle attacks using two Ubertooths.

UK Buyers can pre-order from RFIDIOt.org. US buyers can pre-order from HakShop

FUNcube Dongle Pro – all frequency audio scanner for under £100.

Another USB dongle featuring three SMD chips to perform a custom task. This dongle is very different from the Ubertooth, but in some ways more amazing.

It can grab up to a 80KHz chunk of radio spectrum from anywhere between 64MHz and 1700MHz (although there is a dead spot between 1100MHz and 1270MHz). It will basically do most things your fancy-pants £1000+ standalone radio scanner will do, for just £100. Basically good for speech & data, but not really video. Works with Windows. Mac OSX & Linux. Appears to PC as a USB audio device & a HID device. Plenty of open source software available to drive it. Interestingly the FUNcube Pro is mentioned on the Osmocom Tetra page.

The only downside is that each batch the designer has made are currently selling out in 2 minutes, when he releases them. Find out more at FUNcube Dongle

Sparkfun IOIO for Android – attach anything to your Android smartphone for under £50.

A really simple way to attach almost any electronic component to your Android Smartphone or Tablet. Thousands of uses will be found. Things will be invented!

This board consists of a USB to Everything adapter & a library of script & device drivers (a bit like an Arduino sketch but in Java). All the computing power & sensors in your Android smartphone available to motors, LEDs, weather stations, robots, PIRs, analog sensors, digital sensors. Just imagine the possibilities. Runs on Android 1.5 & up, so even all those sub-£50 used Android phones will work with it.

www.SparkFun.com

Interesting article in New Scientist this week. Karsten Nohl has assessed various manufacturers keyfob immobilisers and concluded that most of the older 40 & 48 bit AES systems are now hackable. Last year he took 6 hours to discover the algorithm used to create the encryption key in a Hitag 2 system. Armed with that algorithm he could in theory unlock any car using NXP Semiconductors Hitag 2 system – according to New Scientist.

Security professionals now believe a move to 128 bit immobilisers is the way forward. Both Texas Instruments & NXP now offer 128 bit AES systems – which would take so long to crack that it’s not worth even trying. Apparently, the car manufacturers don’t see the urgency to switch. They point out that any car can still be removed by a thief using a flat-bed truck & a GPS/GSM radio jammer.

We’ve written previously about crimes here in the UK, involving the theft of laptops & phone from cars by thieves using jammers to stop the owners locking their car doors using the immobiliser keyfobs. Now, in theory at least, they can take your car too.

Security researchers unveiled a $100 hardware & software package capable of reading traffic from the wireless data stream generated by Nordic Semiconductor chipset devices. This chipset is used by Microsoft’s wireless keyboards and they are now believed to be vulnerable to attack.

No need to go inside a building to plant an old fashioned keylogger, just point a yagi antenna at the building you’re interested in. If our own experience with low-power Bluetooth devices is anything to go by, then you could easily be reading keystrokes from several hundred metres away with the right directional antenna.

It’s thought that Logitech keyboards are safe for now as they use AES encryption. The Microsoft keyboards use a simpler XOR encryption scheme. You should also be wary of those cheap £20 wireless keyboard and mouse packs too.

The project has been christened ‘Keykeriki’, apparently it’s German for ‘Cock-a-Doodle-Do’.

There’s talk of a software version for owners of the USRP. Otherwise circuit diagrams and download firmware are available from the links below.

http://www.remote-exploit.org/?page_id=187

http://www.theregister.co.uk/2010/03/26/open_source_wireless_sniffer/

http://www.remote-exploit.org/

https://www.dreamlab.net/files/press/Dreamlab-Technologies_Pressrelease_Wireless-Keyboard_en.pdf

I recently bought a Sony PS3 for my son & I to use. I’m grateful to note that if you use wired USB controllers & a wired Ethernet connection it’s an Electrosmog free experience.

I ordered up a 2nd  DUALSHOCK WIRELESS controller (which I use wired) and was puzzled by the document that comes with it. It states that the use of WLAN is governed in Italy & Norway. Wow, I think, this IS progress!

I didn’t investigate the Italy story yet, but the Norway angle is fascinating. The instructions state that the PS3 game controller is not to be used within a 20km area around the centre of Ny-Alesund, Svalbard. What possible harm can a controller with a range of maybe 3 metres do 20km away ?

I briefly imagined that this must be some kind of forward thinking eco-town. But it isn’t, it’s a research station of some kind. You can read more about it via WikiPedia

Taken from an article by Lisa Adams of the Scottish Daily Record about Electrosensitivity – published 08/09/2008 :

IT’S called an allergy to modern life and half of Scots in the next 10 years could be at risk from this crippling illness, according to scientific research.

Victims of the condition, which is triggered by electromagnetic waves from mobile phones, power lines, microwaves and computers, suffer headaches, crushing chest pains, nose bleeds and a loss of feeling in arms and legs.

Experts report that up to 1.5million people in the UK already have their lives blighted by electro-sensitivity, with symptoms that also include heart palpitations, tiredness, fainting, light sensitivity and skin problems.

Mike Bell, chairman of the Radiation Research Trust, said: “We are seeing a significant increase in enquiries from individuals suffering from these symptoms.

“We’re concerned that many people could be living with health-related electro-sensitivity symptoms without realising the cause.

“Doctors in the UK are not trained to recognise this condition. They could be misdiagnosing patients and treating them with drugs rather than investigating the cause.”

One victim has compared the condition with life as a human aerial – their body overreacting to electrical waves in the environment. Today, as a scientific conference opens in London, public health expert Dr Gerd Oberfeld will predict that if current trends continue, up to 50 per cent of people could suffer from electro sensitivity symptoms in the next 10 years.

The World Health Organisation is also backing research, stating that: “Electrical hypersensitivity is a real and sometimes disabling condition.”

Sufferers are particularly vulnerable to the £2.5billion police communication system Tetra – Terrestrial Trunked Radio – which has been introduced throughout the UK. In the past three years, more than 1000 masts have been erected in Scotland. They pulse at 17.6hertz – above the 16Hz frequency the Government’s Independent Expert Group on Mobile Phones warns might affect brain activity.

Experts say radio waves at this frequency can cause calcium to leak from the brain, causing damage to the nervous and immune systems. If the masts are less than 15 metres high, they don’t need planning permission.

Former Norwegian Prime Minister Harlem Brundtland suffers from electro-sensitivity.

She said: “I felt a local warmth around my ear. But the agony got worse. It turned to discomfort and headaches every time I used a mobile phone.

“Some people develop sensitivity to electricity and radiation from equipment such as mobile phones or PCs.

“If this can lead to adverse health effects such as cancer or other diseases, we do not know yet. But I think we should follow the precautionary principle.”

No, we’re not suggesting getting your mobile phone wet.

New Scientist magazine reported yesterday – researchers have put up several Bluetooth monitoring points around Bath town centre. As around 50% of people that own mobiles walk around with Bluetooth enabled, the researchers were able to track peoples movements and social interactions around the town centre. (For ‘Social Interaction’ read – blokes beaming porn to each other in the pub.)

Vassilis Kostakos from the University of Bath sited four Bluetooth transmitters in the city centre. If you live in Bath and were wondering why your battery has been going flatter quicker, now you know why.

Vassilis’s tracking stations have been beaming out Bluetooth Inquiry Requests to every phone with Bluetooth enabled, and each time a visible Bluetooth phone receives an Inquiry Request it transmits a packet back to the device querying it. This packet contains the phones unique Bluetooth OUI, which is burned into each cellphones firmware.

The OUI is in the form 00:11:22:33:55:FF and the first 3 pairs identify the manufacturer of the device. Also, they would be able to collect your phone name, which is the identifier you can edit yourself – a lot of people change this to their real name, or nickname.

Of course it’s also possible to track someone using the regular GSM phone signal, by using several masts to triangulate the signal – but this is only good to a few hundred metres in the most ideal conditions – and unlike Bluetooth tracking, it’s not easy for an amateur to setup.

Vassilis’s experiment proves that using a combination of GSM & Bluetooth, you could track an individual at close range. If you were privy to the phone companies inside information you could look up the IMEI number in their database to find the home address of any individual… hypothetically of course!

Bluetooth is normally a short range technology, 10 metres for most phones and 100m for Bluetooth on a PC. However, our own experiments with modified USB Bluetooth dongles & external antennas show that you can pickup the signals from Bluetooth devices comfortably at 700 metres with a directional dish antenna.