BlueDump

BlueDumping is the act of causing a Bluetooth device to 'dump' it's stored link key, thereby creating an opportunity for key-exchange sniffing to take place. The attacks on link keys and PINs were first publicised by Ollie Whitehouse, at CanSecWest, in which he describes a method by which the PIN and link-keys can be obtained if a pairing event can be witnessed with a Bluetooth sniffer. More recently, Shaked and Wool have proposed a method by which the key attack can be enhanced, bringing it to near-realtime, as well as a method for forcing the key-exchange to take place at a time of the attacker's choosing.

Method

In order to perfom a BlueDump attack, the attacker needs to know the BDADDR of a set of paired devices. The attacker spoofs the address of one of the devices and connects to the other. Since the attacker has no link key, when the target device requests authentication, the attacker's device will respond with an 'HCI_Link_Key_Request_Negative_Reply', which will, in some cases, cause the target device to delete it's own link key and go into pairing mode.

People Involved

For questions about the BlueDump attack, feel free to ask Adam Laurie, Marcel Holtmann or Martin Herfurt.