Blueprinting is a method to remotely find out details about bluetooth-enabled
devices. Blueprinting can be used for generating statistics
about manufacturers and models and to find out whether there are
devices in range that have issues with Bluetooth security. (read
more about bluetooth security issues here)
Every bluetooth-enabled device has some characteristics that are
either unique (Bluetooth device address), maufacturer specific
(the first part of the bluetooth device address) or model-specific
(service description records). Blueprinting is combining the different
information that Bluetooth-enabled devices reveal in order to determine
the manufacturer as well as the model of the device. Upon different
characteristics it is also possible to tell about the respective
firmware version that runs on certain devices.
Bluetooth Device Address
As mentioned above the bluetooth device address is unique and
globally refers to one single device. This address consists out
of 6 bytes (usually notated like MAC addresses MM:MM:MM:XX:XX:XX).
This address can also be understood as hardware address that is
hard-coded in the chipset of the device. The first three bytes
of this address (the M-bytes in the above notation sample) are
referring to the manufacturer of the chipset. This way, it is fairly
easy to tell about the device manufacturer of devices. @stake's
redfang tool does this. Unfortunately, it is not possible to
tell upon the number range of the address part of the device address
(the X-bytes in the above notation sample) which model it is. Our
first assumption was that address sequences are assigned to device-models.
Therefore, we decided to take information from the service discovery
protocol into account.
Service Discovery Protocol Records
Every Bluetooth-enabled device that offers services to other Bluetooth-enabled
devices does announce these services via the service discovery protocol
(SDP). So, remote devices can query devices upon the offered capabilities.
SDP records are returned to the querying
device and hold information on how to access the respective service.
Our method now hashes certain values out of the records and calculates
a fingerprint value that then is used in order to refer to the
redfang tool - a tool that does manufacturer determination
Initial release at the 21C3 in December 2004.
Latest version is from December 2005.
The Blueprinting project is done by Collin
Mulliner and Martin
Herfurt. In case of questions do not hesitate to contact