I would like to thank everyone who has been sending me feedback on my presentation that I posted the other day. I have gotten some great suggestions which I plan to add to future revisions:
- A listener pointed out that the Redfang tool can be used to brute force the bluetooth address (MAC) to find non-discoverable devices
- tbsearch can also be used to do the same, and the authors of this tool appear to be working on a bluetooth sniffer based on gnuradio. (Thanks Nelson!)
- GNUradio is interesting, touting itself as "GNU Radio is a collection of software that when combined with minimal hardware, allows the construction of radios where the actual waveforms transmitted and received are defined by software.". Hmmm, sounds like when combined with USRP it could be used for wireless research (Wimax? EVDO? Bluetooth?) They are all just radios...
- Another listener pointed out that there are vulnerabilities in certain wireless chipset implementations that allow an attacker to dumb-down the connection from WEP to open. You can find more information here at the www.wirelessve.org site. (Thanks Christopher!)
- Christopher has also built a tool to help people audit mis-configured clients. You can find a copy here. The description reads "ThinkSECURE's Probemapper is a tool which detects probe requests from 802.11-enabled laptops with wireless client profiles and displays their encryption and capability information."
I truly believe that I will be able to continue to give modified versions of this presentation for quite some time. I think we are just starting to see wireless technologies such as bluetooth, wimax, EVDO, and RFID make their way into the hacking radar. Of course, I also believe that the recent vulnerabilities found in wireless drivers are going to blow the lid off traditional 802.11 hacking.