The Bluetooth architecture consists out of two main protocols, L2CAP
and RFCOMM which is layered on top of L2CAP. Since these protocols utilize
ports (as they are named in the popular TCP/IP UDP/IP architecture). It
makes sense to have the ability to scan these in order to find so called
open ports and possible vulnerable applications bound to them.
BT Audit provides applications to scan the L2CAP PSMs (Protocol Service
Multiplexers) and the RFCOMM Channels.
Lately (since 2003) some Bluetooth related security problems were found.
The BlueBug problem discovered by Martin Herfurt was using
a forgotten RFCOMM Channel. This channel was not listed thru a SDP
(Service Discovery Protocol) browse. This fact instantly raised the
possibility of more forgotten (or developer) backdoors.
L2CAP PSMs are numbered from 1,3,5,7 to 65535 these leaves us with about 32k PSMs
RFCOMM Channels are numbered from 1,2,3 to 30.
BT Audit is divided into two separate tools. One dedicated to each protocol.
PSM_SCAN and RFCOMM_SCAN for PSM and RFOMM Channel scanning.
In general the scanners just report if a PSM/Channel is open or closed. Also
BT Audit DOESN'T reconfigure the HCI device that is used for scanning. This
means that the current system configuration is being taken into account
Both scanners allow selection of the port range that should be scanned.
PSM_SCAN further supports scanning using RAW sockets for gathering
a little more information about the state of the PSM. Non current kernels
need to be patched in order to use this feature.
RFCOMM scanning should include some kind of RAW socket scanning, to increase
the information gathering possibilities.
Connections to certain PSMs/Channel invoke the link-level security-features
on some devices. This invocation should be noticed by the scanners. This
of course includes the detection of the level of security that gets invoked.
Please check the Bluetooth Device Security Database
and see if your device is listed here. If not please follow the guide lines and create a device
information file for your device and send it to: btdsd(AT)betaversion.net
Bluetooth Device Security Database
In case of any questions/suggestion ask Collin Mulliner