BlueDumping is the act of causing a Bluetooth device to
'dump' it's stored link key, thereby creating an opportunity for
key-exchange sniffing to take place. The attacks on link keys and
PINs were first publicised by Ollie Whitehouse, at CanSecWest, in which
he describes a method by which the PIN and link-keys can be obtained
if a pairing event can be witnessed with a Bluetooth sniffer. More
recently, Shaked and Wool have proposed a method by which the key
attack can be enhanced, bringing it to near-realtime, as well as
a method for forcing the key-exchange to take place at a time of
the attacker's choosing.
In order to perfom a BlueDump attack, the attacker needs to know
the BDADDR of a set of paired devices. The attacker
spoofs the address of one of the devices and connects to the other.
Since the attacker has no link key, when the target device requests
authentication, the attacker's device will respond with an 'HCI_Link_Key_Request_Negative_Reply',
which will, in some cases, cause the target device to delete
it's own link key and go into pairing mode.
For questions about the BlueDump attack, feel free to ask Adam
Laurie, Marcel Holtmann
or Martin Herfurt.