Bluetooth sniffing technology solution

In recent years, Bluetooth technology has enjoyed unprecedented popularity and development speed, and its coverage on mobile devices is even more amazing. In fact, Bluetooth has become the primary connection method for wireless accessories and smart devices. Unfortunately, recent research has shown that the two-level stream encryption scheme adopted by Bluetooth has many flaws, and user privacy is potentially compromised. On the other hand, new communication software that uses Bluetooth to transmit information is used in illegal and criminal activities, seriously affecting social harmony and stability. Faced with the development of Bluetooth technology, we should actively take countermeasures and strengthen research in the direction of Bluetooth sniffing.

1. Bluetooth sniffing technical background

1.1 Bluetooth technology

Bluetooth technology is a wireless data exchange method that supports short distances. A Bluetooth network established by a master device and one or more slave devices is called a piconet (Piconet). Bluetooth technology is widely used in short-distance wireless communication because of its low power consumption, low cost and strong flexibility. According to practical needs, the maximum transmission power of Bluetooth devices is also divided into three levels, and its coverage also changes with the power. Currently, the Bluetooth SIG oversees research on the Bluetooth specification, manages the certification program, and maintains trademark rights.

1.2 Radio layer

The lowest layer of the Bluetooth protocol stack is called the radio layer. Bluetooth technology adopts the 2.4GHz working frequency band, which is an open and common wireless frequency band (ISMBand) all over the world, without payment and application, which ensures that Bluetooth can obtain a wider range of use. Bluetooth uses frequency hopping technology and performs frequency hopping at a rate of 1600 hops/s. The transmitted data will be divided into multiple data packets, and the data packets will be transmitted separately through the designated 79 Bluetooth channels. Each channel occupies 1MHz. Bluetooth's The actual use band is 2400MHz～2483.5MHz (including the guard band). This approach leads to difficulties in selective interception, since the attacker often needs to know the consecutive hopping sequences.

1.3 Baseband layer

The baseband layer is responsible for managing the physical connection and ensuring the physical connection between the units in the piconet composed of Bluetooth devices by radio frequency. Each Bluetooth device has a unique 48-bit Bluetooth device address (BD_ADDR), which is divided into 3 parts, including 24-bit low-end address part (LAP), 8-bit high-end address part (UAP) and 16-bit non- Effective Address Part (NAP). This address can be said to be the computing core of Bluetooth technology, responsible for almost all the control parameters of Bluetooth normal work, such as keys and frequency hopping sequences are calculated from this address.

1.4 Packet structure

All Bluetooth data packets are encapsulated according to a unified structure, consisting of access code, header and payload. A valid data packet must contain an access code, which is used for data synchronization and DC offset compensation. A simplest bluetooth data packet, such as an ID packet used for paging, inquiry and corresponding process, can only contain a 68bit access code. There is a very important package in the Bluetooth communication process - the Frequency Hopping Synchronization (FHS) package, which contains the BD_ADDR and clock information of the Bluetooth device.

1.5 Connection establishment

For Bluetooth data transfer, a connection must first be established. First, the master device broadcasts an ID packet as a query. At this time, 32 broadcast channels out of 79 Bluetooth channels are used. After the slave device receives this packet, it will send an FHS packet, which contains the BD_ADDR and clock information of the slave device. The master device that receives the FHS packet enters the paging state, and calculates a specific response time according to the frequency hopping sequence of the slave device, and sends the ID packet. The slave device will scan the external paging at regular intervals, and after receiving the response ID packet from the master device, it will send an ID packet in response to the response. After the master device receives the slave device ID packet, it sends an FHS packet to determine the frequency hopping sequence of the connection. Finally, the master and slave devices respectively send ID packets and FHS packets to verify and establish a connection.

In the piconet, all devices share the clock of the master device, with a clock cycle of 312.5 µs, and two cycles constitute a time slot of 625 µs. Normally, the master device transmits data from even-numbered slots, and the slave device transmits data from odd-numbered slots.

2. Bluetooth sniffing scheme

2.1 Difficulties in Bluetooth sniffing

The first hurdle in Bluetooth sniffing is intercepting the Bluetooth frequency hopping sequence. If you want to obtain a complete Bluetooth data transmission, you need to monitor all 79 Bluetooth channels, and you must intercept and filter to obtain complete data packets, which requires you to know the correct Bluetooth frequency hopping sequence. There are two ways to obtain the Bluetooth frequency hopping sequence, one is to rely on powerful hardware and software equipment, and the other method needs to wait for the device to re-establish the connection, and obtain the frequency hopping sequence from the data packet that establishes the connection.

Another problem is that common Bluetooth hardware automatically filters based on the access code of the packet. Since the filtering behavior occurs at the hardware level, it cannot be solved by the design of the upper layer software, and must rely on corresponding hardware devices to solve this problem.

2.2 Bluetooth packet capture tool Wireshark

Wireshark is widely used as a commonly used packet capture tool. The Bluetooth protocol standard has been added to Wireshark above 1.12, which means that the captured Bluetooth data packets can be analyzed through Wireshark, which provides great convenience for sniffing work. At the same time, Wireshark also provides the function of monitoring the Bluetooth interface of the machine, which can monitor the Bluetooth devices connected to the machine. Figure 1 shows the Bluetooth packet information captured by Wireshark. Figure 1 shows some data packets in the process of establishing a connection between the computer and the Bluetooth headset. Number 27 is a data packet broadcast and transmitted by the computer as the master device to inquire about nearby Bluetooth devices. No. 28 to No. 31 are the query responses from the Bluetooth headset to the computer, and the three data packets except No. 28 all contain the BD_ADDR of the headset. Since then, the computer and the Bluetooth headset gradually establish a Bluetooth connection by sending data packets to each other.

2.3 Bluetooth wireless development platform Ubertooth

UbertoothOne is a hardware for Bluetooth research designed and provided by the Ubertooth project team. Ubertooth is an open source 2.4GHz wireless development platform for Bluetooth monitoring. UbertoothOne is also connected to the computer through the USB interface.

The real-time Bluetooth spectrum information can be visually observed by using the SpecanUI tool, as shown in Figure 2. In the observation in Figure 2 there is a Bluetooth headset connected to the mobile phone.

It can be found that active wireless signals are mainly concentrated between 2403Hz and 2446Hz, which means that the data transmission between the mobile phone and Bluetooth is mainly concentrated on these channels. In addition, 2402Hz, 2426Hz, and 2480Hz are fixed broadcast channels, which are used to send broadcast data between unconnected devices, establish connections and discover remote devices. These 3 channels also have obvious characteristics in the frequency spectrum.

UbertoothOne can also support functions such as selecting the channel to monitor, or capturing Bluetooth data packets. The captured Bluetooth packets can be analyzed by software such as Wireshark. Sending Bluetooth data packets through UbertoothOne is currently not possible, which means that UbertoothOne cannot be used to inject Bluetooth data packets.

in conclusion

There are still many difficulties in the realization of the Bluetooth sniffing scheme. On the other hand, the high threshold also put an end to the attempts of a large number of criminals to use Bluetooth to steal citizen information. However, software that communicates via Bluetooth, such as FireChat, is often used in illegal and criminal activities, which has seriously endangered public safety. In-depth research on Bluetooth technology and active research on Bluetooth sniffing solutions can not only solve current problems, but also prepare for future Bluetooth security issues.

The above is the Bluetooth sniffing solution technology introduced by Shenzhen Zuchuang Microelectronics Co., Ltd. for you. If you have Bluetooth product design and development needs, you can trust us. We have rich experience in custom development of smart electronic products. We can evaluate the development cycle and IC price as soon as possible, and can also calculate the PCBA quotation. We are a number of chip agents at home and abroad: Songhan, Yingguang, Jieli, Ankai, Quanzhi, realtek, with MCU, voice IC, BLE Bluetooth IC, dual-mode Bluetooth module, wifi module. We have hardware design and software development capabilities. Covering circuit design, PCB design, single-chip microcomputer development, software custom development, APP custom development, WeChat official account development, voice recognition technology, Bluetooth development, wifi technology, etc. It can also undertake the research and development of smart electronic products, the design of household appliances, the development of beauty equipment, the development of Internet of Things applications, the design of smart home solutions, the development of TWS earphones, the development of Bluetooth earphone speakers, the development of children's toys, and the research and development of electronic education products.