This video explains how Bluetooth works.
- [Narrator] For a period around 2008 Bluetooth became a topic of keen interest to security researchers, due to a weakness which enabled information to be silently soaked out of mobile phones across their Bluetooth channel. This is subsequently being fixed. But interest continues in this form of closed-in communication. The Bluetooth protocol works in the 2.4GHz frequency, which is also used by Wifi and Zigbee systems, and is defined by the IEEE standard 802.15.1.
Bluetooth Networks are known as Piconets, and will often consist of just one master and one slave device. They can, however, become figured to have multiple slaves, up to seven. Although, in this case, slaves can only talk to their master node, not to each other. A Bluetooth Device is identified by its Bluetooth device address, which is 48 bits or 6 bytes. It's normally presented as six, two-digit hex decimal pairs separated by colons. The top three pairs are the Organisationally Unique Identifier, or OUI, which is fixed for a manufacturer.
Bluetooth Devices also have friendly names, such as Nokia or my iPhone. Bluetooth Devices are known as class one devices if they're capable of interactions of up to a hundred meters, class two devices if they can operate up to 10 meters, and class three devices which operate at 10 centimeters or less. Data can be transferred between Bluetooth Devices as a real-time stream or as files. Real-time data include streaming audio and video, telephony, and so on.
File transfers are more usually to, from, or between laptops. To connect, the slave and master must identify each other and then form a pair. Identifying a Bluetooth Device involves scanning, known in Bluetooth terminology as an inquiry. One device will send out an inquiry request. And any active devices will respond with their address, name, and other information. Bluetooth devices may automatically bond without user interaction, usually when they've previously been connected.
For example, when you get into your car, your mobile phone may pair automatically with the car Bluetooth system. Pairing of mobiles and laptops may require user intervention, involving each participant confirming a six digit number, which is displayed. Bluetooth devices are defined by what is known as their operating profile. And for two devices to inter-operate, they must share a common operating profile. For example, to replace a serial interface cable between two computers, the devices would operate a Serial Port Profile.
For devices which relay human interaction, such as keyboard and mouse, or a gaming handset, the devices would operate a Human Interface Device, or HID profile. Hands-free headsets operate a Hands-Free Profile, or HFP. Audio transmissions operate in the Advanced Audio Distribution Profile, or A2DP. And remote controllers use the Audio/Video Remote Control Profile, or AVRCP. Each of these profiles operate in a way most suited to the communication traffic characteristics.
The Service Discovery Protocol allows Bluetooth devices to identify the services offered by other devices, in particular, the profiles offered. SDP offers direct support for searching for specific SSIDs and for browsing services. The implementation of the Bluetooth Stack involves Bluetooth hardware device and it's associated host controller interface driver. The interface allows software in the device to talk to the Bluetooth hardware.
Below the interface, there are three basic transport layers, USB, RS232 Serial interface, and UR Serial interface transport. The bottom layer of the software stack is a radio on top of which is a baseband controller, which manages the frequency hopping and channels. This connects through the host controller interface driver to the link manager and its logical link control adaptation protocol, or L2CAP, which control the setup and pull down of Bluetooth sessions.
The baseband layer can also connect directly through to application level audio. Above the logical link control adaptation protocol is the data in the form of TCP, HCI, or RFCOMM protocols, which then feed into applications. In addition, applications can receive control messages from the link manager. RFCOMM is a cable replacement protocol which provides a virtual serial stream. And we'll be seeing more of this shortly.
Note: This course is part of our test prep series for the Certified Ethical Hacker exam. Review the complete exam objectives at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Selecting an antenna
- Configuring security
- Extracting WEP and network passwords
- Testing passwords
- Harvesting connections from rogue access points
- Attacking networks via Bluetooth
- Capturing wireless packets with Acrylic WiFi
- Heat mapping with Ekahau
- Wi-Fi sniffing with Wireshark
- Testing the Internet of Things