If one wants to know (for attack or defense) whether a Bluetooth (BT) device is vulnerable to unauthenticated remote over-the-air exploits, one needs to be able to query what firmware or OS the target is running. Unfortunately there is no universally-available method to get this information across all BT devices. There is also no past work that attempts to rigorously obtain this information. Therefore we have created the "Blue2thprint" project to begin to collect "toothprints" (2thprints) of BT devices, and bring the exciting world of forensic odontology to you!
This research discusses what information is readily available by existing inquiry tools and methods. We show how that information is not what we need, as it has been focused more on tracking individual devices, or on exposing device characteristics, models, and manufacturer information. We will show how some readily-available information *is* useful for giving partial answers about firmware and OS versions, but how this information is completely inconsistent in its availability or meaning. It turns out many 2thprints are missing teeth!
Thus we'll show why it is necessary to send custom packets and packet sequences in order to build more robust 2thprints. These custom packets and sequences cannot be created by using existing BT software interfaces. They require utilizing custom firmware on the packet-sending device.
This research will present a new state-of-the-art when it comes to exposing the known, the unknown, and the under-known of BT device identification. And it will show what work remains, before we can approach 100% identification for any random device that shows up in a BT scan.
Prior to working full time on OpenSecurityTraining2 (ost2.fyi), Xeno worked at Apple designing architectural support for firmware security;and code auditing firmware security implementations. A lot of what he did revolved around adding secure boot support to the main and peripheral processors (e.g. the Broadcom Bluetooth chip.) He led the efforts to bring secure boot to Macs, first with T2-based Macs, and then with the massive architectural change of Apple Silicon Macs. Once the M1 Macs shipped, he left Apple to pursue the project he felt would be most impactful: creating free deep-technical online training material and growing the newly created OpenSecurityTraining 501(c)(3) nonprofit.