[Bt] Getting the Bluetooth clock

Dominic Spill dominicgs at gmail.com
Tue May 20 13:02:59 BST 2008

As some of you will remember the paper that Andrea and I wrote last
year showed a way to get 4 bytes of the bluetooth address(MAC) from a
sniffed packet or two, but in order to follow the hopping pattern and
sniff all packets the attacker needs the clock value of the master
bluetooth device.

I've been looking at this problem of getting the clock value from
sniffed packets, I haven't had chance to test this yet (I need to
borrow a USRP), but I'd like to see if anyone on the list has any
comments about the following method.

The USRP can only sniff on one channel, so if we sniff on this
frequency we can pick up a number of packets at various intervals.  To
generate the entire hopping pattern for a given MAC (we only need the
lower 4 bytes for this) takes  <1 min on my average desktop.  Taking
into account only the transmissions on the channel we are sniffing we
can build a table of possible clock values for the packets that we

Each packet is whitened using 6 bits of the clock value, this is
recovered when finding the MAC, so we can filter our table of clock
values based on this.  As more packets are received the search space
can be narrowed until the correct clock value is known.  In my VERY
simplified test run on the sample data from the spec this took less
than 10 packets, assuming that every packet is received.

The method could probably work with fewer packets if the USRP was used
to sniff packets on multiple adjacent channels.

Any thoughts? comments? blatant flaws in my logic?
Let me know, I'll test it and write it up fully if it works.


More information about the Bt mailing list