Blackhat 2006: 'Bluebag' detects Bluetooth devices within 200 meters

Las Vegas (NV) - A pair of Italian hackers has created the lazy man's Bluetooth scanner by cramming eight Bluetooth dongles and a miniature computer into a rolling luggage case. While Bluetooth scanning has been around for a few years, the "BlueBag" case uses an extra omnidirectional antenna to prescan the area. The pair says the Bluebag can detect devices up to 200 meters (about 600 feet) away and can run for up to 10 hours without power.

Claudio Merloni and Luca Carettoni said they built the BlueBag because they wanted to raise awareness about Bluetooth vulnerabilties. The pair was dissatisfied with traditional Bluetooth scanning which required walking around with a laptop. "You can't walk around a shopping mall or an airport with a laptop," said Merloni during his talk at the Blackhat security conference in Las Vegas.

The hardware was assembled in about one day, but Merloni and Carettoni said the software and reliability testing took much longer. Inside the hard-shell case is a Via Mini-ITX motherboard, an 1.8" hard drive taken from an Ipod, and nine Bluetooth dongles. One of the dongles is connected to an omni-directional 5 db antenna.

The entire rig is autonomously powered with a 26 amp-hour lead-acid battery, which according to Merloni lasts up to 10 hours. The pair hacked together their own power converter/regulator and even converted the luggage key socket into the on/off switch. They can covertly insert and turn a key to turn the computer off and on.

Gentoo Linux version 2.6 with the BlueZ Bluetooth drivers was installed on the hard drive and custom Python scanning scripts were written. The Bluebag can be controlled wirelessly through a web browser from a PDA or full-sized laptop. While this is similar to other Bluetooth scanning projects, the BlueBag can gain more information about devices by "prescanning".

The omni-directional antenna constantly scans the area and detects the presence of Bluetooth devices. This information is then offloaded to the other eight antennas that are now ready to gain more detailed information as the device gets into closer range.

Merloni said that the Bluebag could be modified to send keyloggers, sniffers and worms, but he hasn't actually tried it yet. He adds that the rig does have a "stupid test" which sees if people will accept an anonymous Bluetooth transfer. These transfer requests show up as dialog boxes on the victim's phone or device and Merloni is "amazed" at how many people actually accept the transfers. Up to 70% of people accepted the anonymous transfers.

In initial tests, the Bluebag detected 1405 unique devices in less than 24 hours of scanning in shopping malls, train stations and airports. They say 93% of the detected devices were mobile phones and 3% were computers. PDAs and GPS devices came in at 2% and 1%, respectively.

One problem with the Bluebag is that it can knock out wireless networks when it's turned on. Bluetooth shares the same frequency band as many computer wireless networks and Merloni said, "It destroys all wireless networks in the area."