San Francisco (CA) - From the second floor of the Moscone Convention Center, a trio of hackers points their Bluetooth Sniper Rifle at the show attendees below. Bluetooth devices have become commonplace, especially with the technical crowd at the RSA Convention. Maybe thousands of Bluetooth devices were worn by attendees. The guys at Flexilis may have scanned them all.

James Burgess, from Flexilis, a wireless think tank, says that the BlueSniper gun is a very simple concept. "It’s basically a gun stock, with an antenna on it. The thing that makes it cool is the gumstick PC built into the magazine. It is completely self-contained."

Flexilis demonstrated a similar gun at the 2004 Defcon Convention in Las Vegas. That gun was hastily put together, basically with rubber bands and tie straps. This updated version was better looking and much bigger. So big the Flexilis guys had to mount it on a tripod.

Constructing the gun was easy. A tube shaped antenna, tuned for Bluetooth frequencies, was attached to an aftermarket gun stock. LMR-400 cable connects the antenna to a miniature computer, located in the magazine of the gun. The total cost of the parts was less than $500.

While the gun looks impressive, John Hering says, "The real magic happens inside the computer." The magazine containing a small computer is loaded into the gun. A bright blue LED glows on the outside of the gun, after the magazine is inserted and turned on. The computer is powered by a 400Mhz Xscale processor and has serial output. It accepts the Bluetooth signals from the antenna and has an MMC slot, which can store and accepts all the signals from the Bluetooth antenna.

Kevin Mahaffey, the main programmer at Flexilis, explains their homegrown software can find vulnerable phones, list their services and perform exploits. During our demonstration, he only showed off the vulnerability and service scans, but he says that it would have been trivial to crash or even rip contact lists from vulnerable phones.

In a few minutes of scanning, the group picked up more than one hundred phones. The phones were listed by the MAC address, which is the unique hardware address burned into every phone. All of this information can be stored on a MMC card inside the gumstick computer - making the BlueSniper gun self-contained. So for the security professionals at the RSA Security Conference, don’t forget to look up, as you are being watched.

Related Articles :
Defcon 12 - Bluetooth Sniper Rifle