Category Archives: blueborne

While reading through the technical whitepaper of the BlueBorne attacks I’ve noted that it is required for the attacker to know my Bluetooth MAC-Address.
They claim it should be really easy to obtain it by using one of the following techniques:

1. Sniff Wifi traffic and get the unencrypted MAC from the raw wifi frames (for example by using this device)
2. Sniff Bluetooth traffic, for example while I use it with headphones (for example by using the mentioned Ubertooth)

Both of these things are easy to do as long as you have the special hardware.

However if one infects my phone and wants it to infect a third device, how can my phone sniff the required MAC-address of the third device?

Most phones have no special sniffing hardware nether for Bluethooth[1] nor Wifi[2] so it is hard to get the third device MAC, which is required for the attack. The only way I can think of getting MACs would be to guess/brute-force them?

So, are we then “safe” from phone-to-phone-spreading malware horror case?

[1] “Since the “Monitor Mode” of Bluetooth is very limited in tools widely accessible for researchers, […]” http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf

[2] “It is not possible to capture from the internal Wi-Fi interface on Android without running a custom firmware and gaining root access.” https://www.kismetwireless.net/android-pcap/

Continue reading Are we safe from phone-to-phone-spreading BlueBorne malware horror case?→

While reading through the technical whitepaper of the BlueBorne attacks I’ve noted that it is required for the attacker to know my Bluetooth MAC-Address.
They claim it should be really easy to obtain it by using one of the following techniques:

1. Sniff Wifi traffic and get the unencrypted MAC from the raw wifi frames, assuming the attacker is not connected to the WIFI I am (for example by using this device)
2. Sniff Bluetooth traffic, for example while I use it with headphones (for example by using the mentioned Ubertooth)

Both of these things are easy to do as long as you have the special hardware.

However if one infects my phone and wants it to infect a third device, how can my phone sniff the required MAC-address of the third device?

Most phones have no special sniffing hardware nether for Bluethooth[1] nor Wifi[2] so it is hard to get the third device MAC, which is required for the attack. The only way I can think of getting MACs would be to guess/brute-force them?

So, are we then “safe” from phone-to-phone-spreading malware horror case?

[1] “Since the “Monitor Mode” of Bluetooth is very limited in tools widely accessible for researchers, […]” http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf

[2] “It is not possible to capture from the internal Wi-Fi interface on Android without running a custom firmware and gaining root access.” https://www.kismetwireless.net/android-pcap/

Continue reading Are we safe from phone-to-phone-spreading BlueBorne malware horror case?→