Tbear - Bluetooth Environment Auditing

T-BEAR is a developing suite of applications designed to improve slash "audit" the security of Bluetooth environments. By environment, we mean anything from a home PAN, to your PDA or cell phone. The suite currently consists of the following utilities, all of which are either included in this package, or are under development.

* tbear: A graphical BT device locator. 'tbear -h' for options. If you find that you're missing devices during a scan, try adjusting the SLEEPTIME and BT_TIMEOUT values in tbear.h. I suggest leaving the defines at default unless you have obvious problems.

* tbsniff: A bluetooth 'sniffer' for use with gnuradio and the USRP. Captures BT data to a file. You can then sort through the data however you want; I provide btkbsniff, btvsniff, and chansniff to help out.

* btbscansniff: Print page scan and inquiry scan data from output of btsniff.

* tbkbsniff: Reads data from a btsniff capture file and recreates key sequences as seen from bluetooth enabled keyboards. For encrypted traffic, decode options are available.

* tbvsniff: Designed to monitor voice data from BT headsets. Decode options are available.

* tbcrackpin: Attempts to crack a PIN associated with encrypted BT data.

* tbsearch: A BT hidden device locator. Kind of like Redfang. Redfang 2.5 implements the features I've put into tbsearch, and then some. Redfang 2.5 is without a doubt better quality than tbsearch. The direction I'd like tbsearch to take is towards faster, more efficient device location methods, since current implementations (including Redfang) by their nature can take *forever* to find a device. To use tbsearch, you'll need thread support built into your system (recent glibc w/ threads). To use, simply run tbsearch with a list of hci devs you wish to use on the command line. For instance:

'./tbsearch hci0 hci1 hci3'.

To enhance performance with your particular hardware, you may want to adjust the timeout value in tbsearch.c. Thanks to redfang 2.5 and BluePrint for adding to my BT OUI database. Also, I add to the btoui in the wild, meaning that an entry's name may be misleading. (Ie. I put 'Samsung' instead of the chipset maker.) Help me out by sending in corrections and additions.

* tanya: L2CAP BT DoS. You may need to play with the defines in the source. It disables the BT stack on my HP ipaq until the ipaq is reset... I'm not sure how it affects other devices. Experiment! Tune some defines and try things out. Tanya works by simply throwing out fairly large l2cap packets at a device as fast as it can...no new technique here. If you can crash a device with l2ping flooding, but not with tanya, try playing with packet length (-s command line option).

Note that to use the GNURadio / USRP tools, you need to have GNURadio, and the hardware USRP installed. The USRP will cost you hundreds of dollars... is it worth it? Probably not.