Friday, July 22, 2016

Configuring WiFi Pineapple Nano on Mac OS X

The WiFi Pineapple installation is well documented, but there were a couple of extra steps to configure the Nano with a Mac. It looked like some others were bumping into some issues so I thought I'd document what worked for me, on OS X El Capitan, Version 10.11.3. These steps augment the installation video from the Pineapple web site, under the Linux setup section/dropdown. 

Get latest Nano firmware

  1. Download the latest firmware and save it to your Mac

Configure USB Internet Sharing on your Mac

  1. Open System Preferences —> Sharing
  2. Enable USB sharing as shown in the image below

Configure Nano

Update Firmware

  1. Plug the Nano to the USB on your Mac. I just used the primary USB connector and not the additional Y cable USB connector, which seemed to work fine for the setup.
  2. Once the Pineapple boots up (the light stops flashing) connect to the WiFi access point that it creates using the Wifi Icon on your Mac menu bar or via System Preferences —> Network. The Wifi name looks like Pineapple_NNNN, where NNNN is from the MAC address printed on the bottom of the device.
  3. Connect to from a web browser
  4. Click "Continue" from that web page
  5. Hold the reset button for at least 3 seconds as directed (I configured the Nano with the WiFi on)
  6. From the web page click "Select File" and select the firmware you downloaded from the Pineapple site. Then click "Install."
  7. Wait a few minutes until the update finishes - the blue indicator light on the Nano should stop flashing. This will disconnect your Mac from the Pineapple WiFi.

Initial Device Configuration

  1. Reconnect your Mac to the Nano's Wifi Network (step 2, above)
  2. Follow to directions to continue "with WiFi enabled" by pressing reset button as directed.
  3. Set the password and SSID, for example MyPineappleWifi
  4. Click "Complete Setup" - which will disconnect you from the Nano's WiFi

Set Nano IP Address

Thanks to audibleblink for this post which describes configuring the Nano's network interface to work your Mac's internet sharing. Here are the steps:
  1. Reconnect to the Pineapple access point, i.e MyPineappleWifi
  2. SSH to your Nano from your Mac terminal:
ssh root@
  1. If you have installed other Pineapples and you get an SSH error, you may need to first clear the keys from your known_hosts file:
ssh-keygen -R
  1. From the shell of your Nano, configure the device's IP address and gateway. This will once again disconnect you from the Nano.
uci set network.lan.ipaddr=''
uci set network.lan.gateway=''
uci commit && reboot

Continue Configuration

  1. Hard reboot: I had to unplug the Nano from USB, then reconnect to be able to connect to it after the network configuration. You shouldn't need to connect to the Nano's access point (i.e. MyPineappleWifi) at this point. You should make sure that your Mac is connected to a network and has Internet access though.
  2. Once your Nano reboots, try to reconnect via a web browser: (using the IP address you set in step 3, above)
  3. From the main Dashboard click "Load Bulletins..." button. If the data loads your Nano has an internet connection.

Next Steps

At this point if your Nano has an internet connection, you should be good to go. Feel free to let me know if there are any steps, issues or optimizations.

Friday, January 2, 2015

What Corporate Boards Need to Know About Information Security for 2015

Below are some recurring themes around security that will benefit directors. While providing leadership in security is hard, boards can improve their governance by groking these important aspects of security for 2015.

Security is a competitive advantage. Security is hard;  and that's a good thing. Many companies won't get it right. And as liabilities continue to increase along with customer, investor and employee expectations, the value of a robust security culture will continue to grow. Because creating an environment from the board & executives on down is challenging, this is an opportunities for forward-thinking companies to differentiate, minimize risk, and avoid the brand-risk associated with getting it wrong publicly. Proactive companies will view security more as a component of long term shareholder value as opposed to short term expenses that hit the quarterly financials.

Security is mostly basic and mundane (albeit requiring considerable operational commitment). "Well anyone can get hacked if an attacker tries hard enough." This is NOT an excuse to just write off securing your organization. While there might be some truth in this, the over-riding reality is that most security breaches could have been avoided with adherence to the most basic security principals and policies. This is more about security 101 and less about advanced technical topics.

Employees are the biggest risk. This is a corollary to the previous item. Most security incidents are due to an employee not following security policy rather than a technically sophisticated hack. And this is more of a training, culture and awareness issue than one of malicious intent. Whether it's an employee that falls for a phishing scam, inadvertently downloads malware or loses an unencrypted disk storage device, the damage is often the same. Even more sophisticated attacks often start with an email, when a user downloads malicious code onto their workstations. Because every step of an attack would typically need to succeed for a successful breach, even complex multi-sequence attacks could be thwarted by the most un-technical of approaches: educate your users about security and ensure your security policies are followed. 

Be aware of CIO and CISO conflict of interest. The board should be aware of the risk of having your security role report directly into IT. Directors need to understand the conflicting role of the CISO and the CIO. The CIO is the yes role. Yes we can improve access, yes we can add that feature, yes we can reduce cost,  yes IT is doing a great job, yes our network is secure. The CISO is the no role. No we should think twice before allowing this kind of access, no we can't reduce costs that much, no we need more time, no we need to think more about that, no our network is not secure. If your CISO reports directly to your CIO, then you should be aware of this potential conflict and filter the data you get about security risk accordingly. This conflict is not so much as a legal issue as an issue inherent in the objectives of the roles, but an Enron comparison is still valid: A key component of the Enron downfall was that Arthur Anderson was both consulting on financial strategy and auditing the books. I call that having the fox audit the hen house.

Advanced Persistent Threat (APT) is code for, oops we violated security 101. Executives at breached companies often use this term to justify a breach at their organization. However, as more information about a breach is released, these incidents are often revealed to be a function of violations of the most basic security principles. RSA's SecureID breach is a good example. They consistently labeled the cause of their incident as an APT. Perhaps it was advanced, and perhaps it was persistent, but the fact remains: had employees followed policy and been more security-aware, this incident would have been thwarted.

Compliance is not the same as security. Compliance addresses a regulatory requirement to meet specific standards. Unfortunately compliance with security standards can often be gamed or applied subjectively. This might be an effective strategy for compliance, but not security. Non-compliance in and of itself is a risk and achieving compliance is a business requirement. However, it is important for directors to understand that being compliant with a specific regulations like SOX, PCI or HIPAA does not imply security.

Your network is decentralized and so is your responsibility. There is no easy answer for this one, but directors need to be aware of the extent that their security is co-dependent on others and extends beyond their physical boundary. Vendors and partners have access to corporate data and network assets. Mobile, remote employees, global office locations and cloud services make the network edge fuzzy, along with the demarcation of your responsibility. More and more computing power  and data is distributed beyond the traditional core network. Remember, if a partner company gets compromised which leads to a data disclosure for your customers, the letter to your customers about their breach will be on your letterhead. The partner company's fault perhaps, but you own the brand damage.

Technology: Don't believe the hype. Security products often claim unrealistic capabilities. If it sounds too good to be true, or just too easy, be wary. The biggest risk here is that directors get blind-sided by a breach and thought they were covered because of some blanket statements promoted by the technology they have invested in. Unfortunately you can't buy your way out of the problem: security technology is only as good as the care in configuration and ongoing process that supports it. Investing in technology is just a small part of the investment involved. In the end, it has to be a part of a bigger technology strategy and process.

There are no easy answers in security. It's challenging and requires ongoing commitment. The upside is that while the liability and expectations around security continue to grow, it provides an area of competitive advantage for those that can build security into their company culture in 2015.

Thursday, January 1, 2015

Free iPhone Security App

SYOD - Secure Your Own Device - Free iPhone App

iPhone security for everyone, because information security is everyone's responsibility. SYOD was created in this spirit. It helps users not only secure their iPhone, but educate them about why these settings are important.

Centralized corporate technology alone can no longer protect individuals or corporations. With the ubiquity of mobile and cloud computing, the edge of the network is blurred as mobile devices bring data and computing power everywhere; individuals are the single most important component to both individual as well as corporate security.

One element of the iOS operating system design is that individual apps have limited access to the configuration settings on an iPhone. While this is an important security feature in that it is part of a sandbox design that keeps apps into their own safe areas, it also inhibits centralized configuration of important security settings.

SYOD addresses this by grading iPhone security configuration based on a self assessment of current security settings, from secure to insecure. It also gives step-by-step instructions on how to configure each setting. Topics covered include: activating screen auto-lock and passcode-lock, disabling Siri bypass and configuring Wi-Fi security. More info and the complete self test are available on the app available on iTunes:

We're currently in process of upgrading SYOD for iOS8.

Wednesday, December 17, 2014

Sony Breach: Will Visualizing Sony Implosion Lead to Improved IT Governance

So I've been watching breaches for many years and the latest Sony breach is awe inspiring in terms of the scale of the breach and maliciousness in intent; the breach seems to transcend the typical profiteering objectives and feels more like economic espionage. The scale and intent of this breach seems to have intersected with a company which lacks both value in security management as well as IT governance. They clearly have not learned from past mistakes and now they seem to now be faced with the biggest security spectacle in a decade.

Only time will tell, but at this point this breach may have lasting impact in the minds of executive management worldwide. IT governance could rank higher, much higher, in the minds of corporate leadership. From a governance standpoint the impact of many breaches is reduced mainly to quantifiable dollars, perhaps the cumulative cost of the breach and impact to stock price with a little brand damage thrown in. Even 100 million dollars of breach cost is not nearly catastrophic for a business unit that can generate multiples of that in profit in a single quarter.  However, whatever the future holds for Sony, it's not inconceivable to see a scenario where the entire Sony Pictures Entertainment crumbles and significantly impacts the greater Sony conglomerate. It's not so much that that will happen as much as that scenario seems plausible. Corporate boards will be able to visualize that in their own organizations. With that potential impact I feel that we could be ushering in a new era of IT governance.

A couple of thoughts come to mind for corporate boards and IT stewardship in terms of their ability to provide effective IT oversight.

1. Every board should be able to answer the following questions as part of a competency test for their ability to manage security risk and IT governance:
  • What are the risks associated with having the security department report directly into the IT organization? and, 
  • Who is reporting to the board about security risk and IT controls and what might their bias be?
Hint 1: One key unstated objective of a corporate CIO or IT director is to keep their job, put food on the table and otherwise keep a paycheck; a good way to achieve that is to demonstrate what a great job they are doing, which in fact can be said about most jobs. 
Hint 2: A key objective of a security assessment of an outside auditor is to identify weaknesses in the IT environment.
Hint 3: Hint 2 is in direct conflict with Hint 1.
2. Does the board have a technical member that can help facilitate meaningful discussion around security and technology infrastructure.

Clearly the Sony breach demonstrates a new avenue and motivation for security breaches. From a governance perspective, the risk should be perceived as much more open-ended. Perhaps the day of classifying data disclosure purely in terms of monetary impact that can be insured against or hedged with huge profits is over. Corporate risk management will begin so imagine breach impacts so significant that it could change the course of an entire company.

Tuesday, December 16, 2014

iOS Anti-Phishing Functionality: Marginal

Anti-Phishing Features in iOS are of Limited Value

The anti-phishing functionality in iOS is functional, but there is a significant lag in updating the phishing site database, According to Apple, when turned on the functionality should alert you if you click on a link to a known phishing site.

Enabling this feature on my iPhone (5s running iOS version 8.1.2) seemed to work, but only if I go back to phishing sites that were reported the previous day. I used sites reported by for the test. 

The following sites were tested. These included sites identified within the last 24 with the most recent reports first.  (Note these are documented phishing sites. Visit at your own risk.). The first few sites were not detected as phishing sites when clicked on in my iPhone Safari browser. Only the last two. However, on desktop chrome browser, all of the following links presented a warning.

When successfully identified as phishing sites with my iPhone (sites 4 & 5, above) the following message was displayed.


Be wary. According to the Anti-Phishing Working Group  (APWG) "Apple became the world’s most-phished brand" this year. Phishing sites tend to be somewhat temporary anyway, with an average uptime of less than 33 hours according to APWG in its report from June of 2014. As such Apple's delay in updating its phishing database makes it of very limited value given that phisher's are adept at acting fast using new phishing sites for active campaigns.

How to configure anti-phishing

You'll still need to be aware of websites you visit (difficult on a mobile browser) and be wary of submitting your credentials, but it still makes sense to ensure that you have the anti-phishing settings turned on. Here's how:

Go to Settings-->Safari and turn on "Fraudulent Website Warning".

Tuesday, December 9, 2014

Sony Breach - How A Hack Will Add Transparency To Your IT Practices (AKA I've Seen This Movie Before)

Having spent 15 years in security and building a security assessment company, which helps companies identify and mitigate security risk, I've been at ground-zero for many data breaches. I've seen the fallout. I've watched as companies that couldn't even a fund realistic budget to help address security risk, make outsized expenditures after a security incident. I've seen companies that couldn't even get an internal risk management meeting together with key stakeholders, involve many lawyers, executive management, IT and compliance personal and even the board of directors, after an incident.

As it turns out IT gets a lot of attention after a breach.

So while there may not be much visibility into the inner-workings of your IT function before a breach, you can bet there will be after. Corporate IT is becoming very, and it's difficult to gauge the overall robustness of many IT environments at a glance. In effect, IT is not inherently transparent. However, what you will find is that after a breach, there is significant scrutiny to IT practices. Few people really know what's happening in your IT environment before a breach, but everyone will be looking at your IT practices after.

And this increased visibility creates two phases of impact. The first phase is the data disclosure impact such as the compromised credit card numbers, account numbers, passwords, social security numbers, confidential data, etc., and the associated liability. The second phase is the impact associated with how your IT environment is viewed once it comes under scrutiny.

The poster child of this was CardSystems Solutions a credit card processor. They had 40 million credit cards compromised from their systems. However, it wasn't the incident itself, but their security practices exposed after the breach that led their downfall. When it was discovered that they had been storing unencrypted card numbers on their network their biggest customers, Visa and American Express, dropped them, and they eventually shuttered.

And more recently you can see the dissection of Sony's security practices, such as:

Interviews with former employees:
“Sony’s ‘information security’ team is a complete joke,” one former employee said. “We’d report security violations to them and our repeated reports were ignored.” on Time's website.
Similar tweets:

And a Mashable post with the headline:
"Sony Pictures' security chief once thought data breaches weren't a big deal"

Of course you might be able to say this about any organization or perhaps you could argue that these quotes have been taken out of context. There is certainly plenty of monday-morning-quarterbacking happening here, but these comments, along with some of apparent lax security controls reinforce the idea that Sony's culture didn't foster robust security processes. 

And I've experienced this attitude first hand. I once drove 90 miles to meet a potential client to deliver a proposal for a web application security assessment when I was building Redspin. When I got to the meeting, the CIO not only failed to show for our confirmed meeting but had no excuse, apology, or any reasoning whatsoever; not even a comment or message.  You can imagine my surprise when, a month or so later, I got a call from that same CIO. The company had been hacked, in fact, the very web application we would have evaluated got compromised in a very public way. So while I couldn't get the attention of the CIO for a meeting in his own conference room a month before, at this point the CIO was calling from the board room, with a room full of attorney's, top management and board members. It was real fire drill; lots of people were looking at IT. 

So I counsel executives to do this exercise: 

  • Pretend you just got hacked. Now, imagine how your security practices and decisions will be viewed.
Ask yourself these questions:

If we have a breach, and if my IT process is exposed, will it look like:

  • our organization value's security?
  • I care about generally accepted best-practices?
  • we respect the security process?
  • I value our employees input? 
What we do know is that your environment won't look perfect. No environment will look anywhere near perfect. IT is too complex and too dynamic. But will it look like you are even trying? Will it look like you care and even respect the process? Will it look like you care about your employee and customer data?

Thursday, June 19, 2014

My Concept for the Cisco Internet of Things Innovation Grand Challenge

Here is the concept I just submitted for the Cisco's IoT Challenge:

Deploy a network of fixed Bluetooth scanners throughout an urban area and/or transportation corridor to enable a region-wide alert/notification system for things: Bluetooth enabled devices that transmit a Bluetooth signal. Currently this includes: mobile phones, medical devices, consumer electronics, vehicles, smart watches, FitBits and other activity trackers, and a myriad of sensors and trackers.

This essentially addresses the last mile problem for things, using a well understood and widely adopted RF protocol (30 Billion Bluetooth devices estimated to be deployed by 2016). I have created a mobile app-based prototype of this system which supports both Bluetooth Classic and Bluetooth Low Energy (with data available at in which the scanning is crowdsourced (a mobile app rather than fixed scanners). Fixed scanners would be available through an API to enable subscribers to access the data. Only devices registered to be tracked (with Bluetooth Address) would be allowed, except for public safety use cases. 

Use cases for this would include:

  • An Amber Alert add-on in which kids with a Bluetooth radio (they cost less that $20) or their abductors cars or mobile phones would be able to be tracked.
  • Stolen cars (most will be Bluetooth enabled according to industry research) would be identified when passing by a scanner.
  • Cities deploying this type of technology could license the data for market research as a revenue source (following appropriate guidelines for security and privacy).
  • App developers and other commercial entities could license specific scanners (beacons) to implement iBeacon functionality in which an app (only those apps that users install on their phones and approve) would wake up in the proximity of a beacon.
  • Public alert systems could leverage the beacon capability of the Bluetooth network to provide fine grain alerts based on proximity to an event.

Features that could be implemented with such a system are extensive and include any use case that might leverage alerts, triggers, geo-fencing, inventory, tracking and sensors. This type of system could save lives, provide revenue and also perhaps impact city-wide insurance premiums. The system could be deployed in increments such as a major transportation corridor, malls, or borders for specific requirements.

Thursday, June 5, 2014

Bluetooth LE Captures from an item tracker

Item Tracker Bluetooth Device Captures

Below shows another advertising strategy. This shows an advertising sequence between an item tracker from Phone Halo and the Bluescan app running on an Android device with BD_ADDR of AC:22:0B:45:87:55. The second capture is between another tracking device (I got a second one of their devices via their Indiegogo campaign) and their proprietary app.

Device 1

This is the advertisement and scan request from the BlueScan app:

 systime=1402000803 freq=2402 addr=8e89bed6 delta_t=1287.768 ms  
 40 23 ac 91 89 1c f3 c7 04 09 74 6b 72 03 19 40 02 02 01 06 02 0a 04 03 03 3e 0f 09 ff 00 00 ac 91 89 1c f3 c7 40 22 c7   
 Advertising / AA 8e89bed6 / 35 bytes  
   Channel Index: 37  
   Type: ADV_IND  
   AdvA: c7:f3:1c:89:91:ac (random)  
   AdvData: 04 09 74 6b 72 03 19 40 02 02 01 06 02 0a 04 03 03 3e 0f 09 ff 00 00 ac 91 89 1c f3 c7  
     Type 09 (Complete Local Name)  
     Type 19  
       40 02  
     Type 01 (Flags)  
     Type 0a (Tx Power Level)  
       4 dBm  
     Type 03  
       3e 0f  
     Type ff  
       00 00 ac 91 89 1c f3 c7  
   Data: ac 91 89 1c f3 c7 04 09 74 6b 72 03 19 40 02 02 01 06 02 0a 04 03 03 3e 0f 09 ff 00 00 ac 91 89 1c f3 c7  
   CRC:  40 22 c7  

Scan Request

 systime=1402000803 freq=2402 addr=8e89bed6 delta_t=0.352 ms  
 83 0c 55 87 45 0b 22 ac ac 91 89 1c f3 c7 a7 21 48   
 Advertising / AA 8e89bed6 / 12 bytes  
   Channel Index: 37  
   Type: SCAN_REQ  
   ScanA: ac:22:0b:45:87:55 (public)  
   AdvA: c7:f3:1c:89:91:ac (random)  
   Data: 55 87 45 0b 22 ac ac 91 89 1c f3 c7  
   CRC:  a7 21 48  

Scan Response

 systime=1402000803 freq=2402 addr=8e89bed6 delta_t=0.263 ms  
 44 06 ac 91 89 1c f3 c7 1a 59 6e   
 Advertising / AA 8e89bed6 / 6 bytes  
   Channel Index: 37  
   Type: SCAN_RSP  
   AdvA: c7:f3:1c:89:91:ac (random)  
   Data: ac 91 89 1c f3 c7  
   CRC:  1a 59 6e  

Device 2:

This is another one of their devices in which the capture was between their device and their proprietary Android app. In this case, there is an advertisement and a connection request.


 systime=1402002717 freq=2402 addr=8e89bed6 delta_t=27.500 ms  
 40 15 ca b3 9b 87 c2 c7 02 01 05 07 09 69 6e 53 69 74 65 03 19 ff ff d8 85 00   
 Advertising / AA 8e89bed6 / 21 bytes  
   Channel Index: 37  
   Type: ADV_IND  
   AdvA: c7:c2:87:9b:b3:ca (random)  
   AdvData: 02 01 05 07 09 69 6e 53 69 74 65 03 19 ff ff  
     Type 01 (Flags)  
     Type 09 (Complete Local Name)  
     Type 19  
       ff ff  
   Data: ca b3 9b 87 c2 c7 02 01 05 07 09 69 6e 53 69 74 65 03 19 ff ff  
   CRC:  d8 85 00  

Connect Request

 systime=1402002717 freq=2402 addr=8e89bed6 delta_t=0.495 ms  
 85 22 55 87 45 0b 22 ac ca b3 9b 87 c2 c7 76 f6 7c c7 a4 66 90 02 12 00 27 00 00 00 d0 07 ff ff 7f 00 1c a5 23 dd c1   
 Advertising / AA 8e89bed6 / 34 bytes  
   Channel Index: 37  
   Type: CONNECT_REQ  
   InitA: ac:22:0b:45:87:55 (public)  
   AdvA: c7:c2:87:9b:b3:ca (random)  
   AA:  c77cf676  
   CRCInit: 0066a4  
   WinSize: 02 (2)  
   WinOffset: 0012 (18)  
   Interval: 0027 (39)  
   Latency: 0000 (0)  
   Timeout: 07d0 (2000)  
   ChM: ff ff 7f 00 1c  
   Hop: 5  
   SCA: 5, 31 ppm to 50 ppm  
   Data: 55 87 45 0b 22 ac ca b3 9b 87 c2 c7 76 f6 7c c7 a4 66 90 02 12 00 27 00 00 00 d0 07 ff ff 7f 00 1c a5  
   CRC:  23 dd c1  

Gimbal Bluetooth iBeacon Advertising

Gimbal iBeacons

Below are some packet captures from the Gimbal Proxmity Beacon Series 10. These are advertisements from two devices.

First 5 seconds

For the first five seconds the devices appear to broadcast their Bluetooth addresses. Notice the AdvA for each of the following two captures:

Device 1 (a4:d8:56:01:75:ce)

 size 16  
 systime=1401996656 freq=2402 addr=8e89bed6 delta_t=22295.843 ms  
 00 1b ce 75 01 56 d8 a4 02 01 06 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 00 4f 0c 96 24 40 b3   
 Advertising / AA 8e89bed6 / 27 bytes  
   Channel Index: 37  
   Type: ADV_IND  
   AdvA: a4:d8:56:01:75:ce (public)  
   AdvData: 02 01 06 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 00 4f 0c 96  
     Type 01 (Flags)  
     Type 07 (128-bit Service UUIDs)  
   Data: ce 75 01 56 d8 a4 02 01 06 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 00 4f 0c 96  
   CRC:  24 40 b3  

Device 2 (a4:d8:56:01:a5:cc)

 size 16  
 systime=1401997031 freq=2402 addr=8e89bed6 delta_t=100.627 ms  
 00 1b cc a5 01 56 d8 a4 02 01 06 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 00 4f 0c 96 3b 3e 4b   
 Advertising / AA 8e89bed6 / 27 bytes  
   Channel Index: 37  
   Type: ADV_IND  
   AdvA: a4:d8:56:01:a5:cc (public)  
   AdvData: 02 01 06 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 00 4f 0c 96  
     Type 01 (Flags)  
     Type 07 (128-bit Service UUIDs)  
   Data: cc a5 01 56 d8 a4 02 01 06 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 00 4f 0c 96  
   CRC:  3b 3e 4b  

The BlueScan Android app shows these as:

  • Vendor: Qualcomm Labs Inc.
  • Desc: FyxBoot

Then after 5 seconds...

Each device starts the following broadcasts.

Device 1 (a4:d8:56:01:75:ce)

 systime=1401999056 freq=2402 addr=8e89bed6 delta_t=417.941 ms  
 42 25 48 36 14 0f c5 10 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 93 4a 0c 96 0c ff 8c 00 4e 12 7d 0c 5c 42 59 c1 a2 3a 5f 15   
 Advertising / AA 8e89bed6 / 37 bytes  
   Channel Index: 37  
   Data: 48 36 14 0f c5 10 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 93 4a 0c 96 0c ff 8c 00 4e 12 7d 0c 5c 42 59 c1 a2  
   CRC:  3a 5f 15  

Device 2 (a4:d8:56:01:a5:cc)

 systime=1401999005 freq=2402 addr=8e89bed6 delta_t=650.694 ms  
 42 25 d5 1c c9 d5 5c 39 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 97 4b 0c 96 0c ff 8c 00 d1 82 94 2c 57 52 4a 6f bc 5a 62 06   
 Advertising / AA 8e89bed6 / 37 bytes  
   Channel Index: 37  
   Data: d5 1c c9 d5 5c 39 11 07 ad 77 00 c6 a0 00 99 b2 e2 11 4c 24 97 4b 0c 96 0c ff 8c 00 d1 82 94 2c 57 52 4a 6f bc  
   CRC:  5a 62 06  

The ADV_NONCONN_IND advertisement is an undirected broadcast that is not connectable, nor is it scanable (i.e. it won't respond to a SCAN_REQ in response to an advertisement).

Analyzing Bluetooth Advertising with Ubertooth

Bluetooth Active Scanning Example

in my last post, Understanding Bluetooth Advertising Packets, I reviewed and consolidated some key elements of advertising packet format and data structure from the Bluetooth Core 4.1 Specification. In this post, I'll review some packets, a relate the specific fields to the spec.

The following packet sequence is between a Fitbit Flex (advertiser) and Bluescan (scanner), on channel 37, using and Ubertooth Bluetooth packet sniffer per this command:

 ubertooth-btle -f  

The three packets below show a complete active scan cycle. The advertiser (Fitbit) send out a ADV_IND advertisement, and the BlueScan Android app responds with a SCAN_REQ packet requesting additional data and the Fitbit responds with a SCAN_RESP.

Fitbit advertisement (ADV_IND):

Below is the first packet captured with Ubertooth:

 systime=1401827476 freq=2402 addr=8e89bed6 delta_t=673.874 ms   
  40 21 eb 12 e6 2d bb f5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04 69 6e 34    
  Advertising / AA 8e89bed6 / 33 bytes   
   Channel Index: 37   
   Type: ADV_IND   
   AdvA: f5:bb:2d:e6:12:eb (random)   
   AdvData: 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04   
    Type 01 (Flags)   
    Type 06 (128-bit Service UUIDs, more available)   
    Type 16 (Service Data)   
     UUID: 180a, Additional: 07 04   
   Data: eb 12 e6 2d bb f5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04   
   CRC: 69 6e 34   

Some items of note:

  1. The Access Address (AA) is 0x8e89bed6 (this number is used to manage Link Layer connections and is a random number, other this this, for non advertising packets).
  2. It's on channel 37, which is one of three dedicated advertising channels (37, 38 & 39) of the 40 channels in the Bluetooth spectrum.
  3. The packet's PDU type is ADV_IND, which indicates a connectable undirected advertising event with the following properties:
    • connectable: a scanner can initiate a connection upon seeing this event.
    • scannable: a scanner can issue a scan request up seeing one of these
    • undirected: this is broadcast, no Bluetooth address is specified
    • payload: can contain user data in payload, whereas a directed packet cannot.
  4. AdvA is f5:bb:2d:e6:12:eb, which is the device address of the advertiser. This is a random address, based on...
  5. The Type '01' is a flag in the TxAddr field indicating that the AdvA address is random.
  6. Type '06' is a GAP profile indicating 'Incomplete List of 128-bit Service Class UUID' defined here, with a UUID provided: adab36ca-6e7d-4601-bda2-bffaa68956ba.
  7. Type '16' is also a GAP service type (here) as 'Service Data'. Additional information on this type is defined in the Core Specification Supplement, Part A, section 1.11. For this packet the value is 0x180a which is the UUID for device information.

BlueScan response (SCAN_REQ):

In response the the previous packet, BlueScan responded with this message.

 systime=1401827476 freq=2402 addr=8e89bed6 delta_t=0.336 ms  
 83 0c 55 87 45 0b 22 ac eb 12 e6 2d bb f5 cc 1c fd   
 Advertising / AA 8e89bed6 / 12 bytes  
   Channel Index: 37  
   Type: SCAN_REQ  
   ScanA: ac:22:0b:45:87:55 (public)  
   AdvA: f5:bb:2d:e6:12:eb (random)  
   Data: 55 87 45 0b 22 ac eb 12 e6 2d bb f5  
   CRC:  cc 1c fd  

Some items to note:

  1. This packet again uses the advertising channel (37) and Access Address (0x8e89bed6).
  2. Scan type is SCAN_REQ.
  3. ScanA is the BT_ADDR (Bluetooth Address) of the scanner (BlueScan Android App) and AdvA is the same random IP of the advertiser.

Fitbit response (SCAN_RSP):

Finally, the Fitbit responds with this:

 systime=1401827476 freq=2402 addr=8e89bed6 delta_t=0.326 ms  
 44 0f eb 12 e6 2d bb f5 05 09 46 6c 65 78 02 0a fa b6 c4 52   
 Advertising / AA 8e89bed6 / 15 bytes  
   Channel Index: 37  
   Type: SCAN_RSP  
   AdvA: f5:bb:2d:e6:12:eb (random)  
   ScanRspData: 05 09 46 6c 65 78 02 0a fa  
     Type 09 (Complete Local Name)  
     Type 0a (Tx Power Level)  
       -6 dBm  
   Data: eb 12 e6 2d bb f5 05 09 46 6c 65 78 02 0a fa  
   CRC:  b6 c4 52  


  • Type '0a'  and '09' flags are assigned numbers designated by the Bluetooth SIG Generic Access Profile, indicating what the Ubertooth output shows: 'Complete Local Name' and 'Tx Power Level' respectively.

Analyzing Gimbal Advertisements

Next, I'll have a look at Gimbals iBeacon advertisements. These use random address as a privacy mechanism, so it's worth having a look at those.