BT Audit

Sep 2004

2 mins read

The Bluetooth architecture consists out of two main protocols, L2CAP and RFCOMM which is layered on top of L2CAP. Since these protocols utilize ports (as they are named in the popular TCP/IP UDP/IP architecture). It makes sense to have the ability to scan these in order to find so called open ports and possible vulnerable applications bound to them.

BT Audit provides applications to scan the L2CAP PSMs (Protocol Service Multiplexers) and the RFCOMM Channels.


Lately (since 2003) some Bluetooth related security problems were found. The BlueBug problem discovered by Martin Herfurt was using a forgotten RFCOMM Channel. This channel was not listed thru a SDP (Service Discovery Protocol) browse. This fact instantly raised the possibility of more forgotten (or developer) backdoors.


L2CAP PSMs are numbered from 1,3,5,7 to 65535 these leaves us with about 32k PSMs to scan.

RFCOMM Channels are numbered from 1,2,3 to 30.


BT Audit is divided into two separate tools. One dedicated to each protocol. PSM_SCAN and RFCOMM_SCAN for PSM and RFOMM Channel scanning.

In general the scanners just report if a PSM/Channel is open or closed. Also BT Audit DOESN’T reconfigure the HCI device that is used for scanning. This means that the current system configuration is being taken into account when scanning!

Both scanners allow selection of the port range that should be scanned. PSM_SCAN further supports scanning using RAW sockets for gathering a little more information about the state of the PSM. Non current kernels need to be patched in order to use this feature.

Future Work

RFCOMM scanning should include some kind of RAW socket scanning, to increase the information gathering possibilities.

Connections to certain PSMs/Channel invoke the link-level security-features on some devices. This invocation should be noticed by the scanners. This of course includes the detection of the level of security that gets invoked.


BT Audit

Please check the Bluetooth Device Security Database and see if your device is listed here. If not please follow the guide lines and create a device information file for your device and send it to: btdsd(AT)

Bluetooth Device Security Database


In case of any questions/suggestion ask Collin Mulliner

Sharing is caring!