Full text

Abstract: Bluetooth is one of the most prevalent technologies for short-range wireless communications, and its widespread commercial use in smartphones, security applications, and medical devices makes it a prime target for penetration testers and cyber security experts. The Bluetooth protocol is utilized in many low-cost devices to implement wireless data transmission. We begin by framing Bluetooth as two distinct protocols: Bluetooth Classic (BTC) and Bluetooth Low Energy (BLE). We evaluate currently available Bluetooth penetration testing tools including Bluelog, BTscanner, Redfang, Spooftooph, BlueRanger, Bluesnarfer, BlueMaho, Bluepot, Ubertooth, Crackle, BTLEJuice, Gattacker, and Blue Hydra for both BTC and BLE. The survey demonstrates that these tools have a limited range of capabilities and most tools are only compatible with a single protocol, but not both. This discovery motivates the development of BlueFinder, an open-source range-finding tool compatible with both BTC and BLE devices. We evaluate BlueFinder in both line-of-sight (LOS) and beyond-line- of-sight (BLOS) environments to develop a distance estimation technique based offthe log-distance path loss model. The model generates parameters by minimizing the mean absolute percentage error (MAPE). Data is collected by quantifying the received signal strength (RSS) of incoming packets at varying distances and recording their values for later statistical evaluation. The model distance estimate is a function of three parameters: reference distance, RSS, and the path loss exponent. A calibration test run utilizes experimental and iterative simulation techniques to produce the model parameter values. Initial experiments show that statistically meaningful results are not achieved by using raw RSS alone, so we use mean RSS to achieve a fit with less than 20% MAPE at distances ranging up to 1,000 meters. The model is validated against a BTC electrocardiogram machine and a BLE wearable heart rate monitor in a warwalking scenario. An evaluation between BlueFinder and Blue Hydra finds that our model provides a significant improvement when operating at distance greater than 50 meters.

Keywords: Bluetooth low energy, range-finding, BlueFinder, Bluetooth classic