3 mins read
The long-distance-snarf is an experiment that took place in the early morning of 4th August 2004 at the Santa Monica Pier in California. Five people (John Hering, James Burgess, Kevin Mahaffey, Mike Outmesguine and Martin Herfurt) made it out of their beds and met a crew of the TV station G4TechTV.
After doing interviews, we finally did the experiment. Therefore, Mike a G4TechTV Crew member with a camera and Martin went up to an elevated place wich was exactly 1.08 miles (1,78 km) away from the Santa Monica Pier. John, James and Kevin stood at parking lot of the Pier and prepared the equipment used for the experiment.
In the experiment itself the attacker-team was aiming the antenna at our elevated location. The reason we had to be elevated has to do with the Fresnel Zone that has to be taken into account when dealing with directional radio signals. For ideal results, the radio signal has to fatten out on the way to its destination.
After a little trouble finding the phone device over the high distance, the unbelievable happened. The display of the Nokia phone that Mike held with his outstreched arm showed the typical things that are displayed when a BlueBug attack takes place. First a text saying “Connected to …” appears and then a small headset symbol is displayed. This has been a real eye-opener. Bluetooth Class 2 radios that are used in mobile phones have a typical range of 10 meters. This experiment shows that it is possible to connect to such a class 2 device from about 170 times the range than specified.
What could have been done over this huge distance was a a full BlueBug attack including the reading of the phonebooks and the sending of an SMS.
Of course this world-record setting attack makes it even clearer how much of a risk the BlueBug attack could be to owners of vulnerable phones.
The equipment used fot this experiment was the following:
A Dell Laptop running Slackware Linux 9.1 and the Bluez libraries and utilities version 2.9
A modified Linksys Bluetooth USB adaptor with external antenna connector
A high gain (19dbi) panel antenna (most likely of the type Short Backfire)
An unmodified Nokia 6310i phone
Welcome To Long Distance Bluesnarfing - LOOSE wire [en]
Austrian researcher Bluesnarfs at 1.08 miles - engadget [en]
Bluetooth Researchers Keep Breaking Records - theunofficialbluetoothweblog [en]
Three things to scare you - REDHERRING [en]
Wi-Fi Shootout in the Desert - esato [en]
Security Cavities Ail Bluetooth - Wired News [en]
Bluetooth Range Record [en]
… more english citations
Bluetooth-Attacken auf Handys aus fast 2 km Entfernung - golem [de]
Bluetooth-Angriffe auf große Distanz - futurezone [de]
Bluetooth-Angriffe aus großer Entfernung - heise [de]
… more german citations
If you have questions concerning the Long-Distance-Snarf experiment, feel free to ask Martin Herfurt.
Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.