Blueprinting

Sep 2004

3 mins read

bluetooth classic instructions method paper

Blueprinting is a method to remotely find out details about bluetooth-enabled devices. Blueprinting can be used for generating statistics about manufacturers and models and to find out whether there are devices in range that have issues with Bluetooth security. (read more about bluetooth security issues here)

Method

Every bluetooth-enabled device has some characteristics that are either unique (Bluetooth device address), maufacturer specific (the first part of the bluetooth device address) or model-specific (service description records). Blueprinting is combining the different information that Bluetooth-enabled devices reveal in order to determine the manufacturer as well as the model of the device. Upon different characteristics it is also possible to tell about the respective firmware version that runs on certain devices.

Bluetooth Device Address

As mentioned above the bluetooth device address is unique and globally refers to one single device. This address consists out of 6 bytes (usually notated like MAC addresses MM:MM:MM:XX:XX:XX). This address can also be understood as hardware address that is hard-coded in the chipset of the device. The first three bytes of this address (the M-bytes in the above notation sample) are referring to the manufacturer of the chipset. This way, it is fairly easy to tell about the device manufacturer of devices. @stake’s redfang tool does this. Unfortunately, it is not possible to tell upon the number range of the address part of the device address (the X-bytes in the above notation sample) which model it is. Our first assumption was that address sequences are assigned to device-models. Therefore, we decided to take information from the service discovery protocol into account.

Service Discovery Protocol Records

Every Bluetooth-enabled device that offers services to other Bluetooth-enabled devices does announce these services via the service discovery protocol (SDP). So, remote devices can query devices upon the offered capabilities. SDP records are returned to the querying device and hold information on how to access the respective service. Our method now hashes certain values out of the records and calculates a fingerprint value that then is used in order to refer to the respective model.

Links

@stake’s redfang tool - a tool that does manufacturer determination

Downloads

Initial release at the 21C3 in December 2004.

Latest version is from December 2005.

Blueprint (V. 0.1-3) - a perl tool to identify Bluetooth devices
by Collin Mulliner and Martin Herfurt
this version recognizes about 53 different devices

Blueprinting - Remote Device Identification based on Bluetooth Fingerprinting Techniques [english]
by Collin Mulliner and Martin Herfurt
published in December 2004 at the 21st Chaos Communication Congress (21C3) in Berlin
more information on the Blueprinting project page

People involved

The Blueprinting project is done by Collin Mulliner and Martin Herfurt. In case of questions do not hesitate to contact us.

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.

Collin Mulliner joined the trifinite.group as the first member in September 2004. He holds a Bachelor of Science in Computer Science degree from Fachhochschule Darmstadt (Germany). As of September 2004 he is into a Masters program at the University of California Santa Barbara.