Dear List, This Message is thrown together in a hurry with limited Internet access, please take my aplogise for typos and missing information, more will follow soon :) My call for an OSS Bluetooth sniffer during the last 23C3 in Berlin has not been left unanswered, first there was Max Moser("Bluetooth - Getting raw access") that uncovered how you can modify a consumer USB stick by flashing it with a BTSnifferfirmware and get RAW access to it. The question that was leftwas how to send commands to it, get it into sniffing mode, synchingit. Exactly this is what Andrea Bittau and Dominic Spill found out during their work on a Paper entitled "BlueSniff: Eve meets Alice and Bluetooth", Andrea further implemented it in C code. The paper will be shortly be published and presented at this years' USENIX. In other words a Bluetooth Hacker dream has partially come true, a cheap and (partialy) open way to sniff and capture packets, including the pariring-handshake which may than be cracked. Andrea is currently working on cracking open the very last thing that holds him from crafting low level Bluetooth packets, the XAP2 processor, he dissassembled the firmware to find out how exactly it works, for that he wrote his own dissassembler, after this he/we may write our own firmware and basicaly do whatever we like, for example code a full blown fuzzer or full blown attack device. Other very interesting findings will be uncovered during the next weeks, more on this later :) PS. Renderman will demonstrate the findings at this years DEFCON during the Church of WiFi, be there (I will) Information and Files from : http://secdev.zoller.lu Thierry Zoller - Security Engineer