Bluelog logo

Bluelog

       Platform: GNU/Linux
       Language: C, HTML
       License: GPLv2
       Dependencies: BlueZ
       Google Plus Page: View
       Tagged Blog Posts: View
       Latest Release: 1.0.2 (Download)

About

       Bluelog is a Linux Bluetooth scanner written to do a single task, log devices that are in discoverable mode. It is intended to be used as a site survey tool, determining how many discoverable Bluetooth devices there are in the area. It has also proven to be very well suited to Bluetooth traffic monitoring applications.

While there are many different Bluetooth scanners available, none I found did exactly what I wanted, most seemed focused on pulling down various bits of information from the target devices (like SDP records). I was also having trouble locating a scanner that didn't have a UI of some sort, which was a problem since I wanted to scan continuously without user intervention. After trying out all of the Linux Bluetooth scanners I could find, I eventually decided to simply write my own.

The more time I spent on Bluelog, the more features I worked into it. Eventually, Bluelog started evolving into a considerably more advanced tool then I initially intended. Still, all of the advanced features are completely optional, and if you chose it can still be used as the simple little scanner it started as.

Basic Logging

       If you want to use Bluelog to perform some simple scanning and logging, you technically don't even need to pass it any arguments, though some are helpful. Consider this simple scan: 
bash:~# bluelog -vtn -o ./example.log
Bluelog (v0.9.9) by MS3FGX
---------------------------
Autodetecting device...OK
Opening output file: ./example.log...OK
Writing PID file: /tmp/bluelog.pid...OK
Scan started at [06/20/10 16:58:13] on 00:16:41:B4:9E:1C.
Hit Ctrl+C to end scan.
[05/12/10 16:58:27] 00:1C:62:9E:5D:B8,LG CU575a,0x5a0204
[05/12/10 16:58:27] 00:21:FE:7C:B5:33,Nokia 2600,0x5a0204
[05/12/10 16:58:30] 00:1B:AF:DB:CB:9E,Nokia 6555b,0x5a0204
Closing files and freeing memory...OK
Done!
In this case, Bluelog was run with the "verbose", "timestamp", and "name" options, which caused discovered devices to be shown in the terminal as well as having the time of their discovery logged along with MAC and device name.

I also chose to write the log to an alternate file, in this case "example.log". If we check the contents of that file we can see Bluelog's (very basic) output format: 

bash:~# cat ./example.log 
[05/12/10 16:58:13] Scan started on 00:16:41:B4:19:1C
[05/12/10 16:58:27] 00:1C:62:9E:5D:B8,LG CU575a
[05/12/10 16:58:27] 00:21:FE:7C:B5:33,Nokia 2600
[05/12/10 16:58:30] 00:1B:AF:DB:CB:9E,Nokia 6555b
[05/12/10 16:58:35] Scan ended.

Customized Logging

       Bluelog features multiple options for configuring the log file, all of which are optional but could be helpful depending on how you intend on parsing the resulting data. As of the current version, Bluelog supports the following logging options:

-b

       This option will set the log format so that the resulting data is suitable for upload to ronin's Bluetooth Profiling Project (BlueProPro). This overrides most other logging options and disables Bluelog Live. For more information on this project, and the additional steps required to submit your data for inclusion, visit: www.hackfromacave.com

-c

       This option toggles writing the raw device class to the log file. Enabling this option disables the -f option. Default is disabled.

-f

       This option takes the device class and interprets it into a more human friendly format. It will tell you what class the device is and also what it's core capabilities are. For example, the class "0x7a020c" would appear as: "Smart Phone,(Net Capture Obex Audio Phone)". Enabling this option disables the -c option. Default is disabled.

-n

       Use this option to toggle displaying device names for discovered devices. Finding the device name takes extra time during scanning, and occasionally fails. Therefore by not resolving device names, Bluelog can scan faster and more accurately. Default is disabled.

-t

       Use this option to toggle displaying timestamps for both the start and end of the scan and each new device found in the log file. Default is disabled.

-x

       Use this option to toggle MAC address obfuscation. This allows you to release your log files without (completely) compromising the identity of the scanned devices. Default is disabled.

Bluelog Live

       "Bluelog Live" is an advanced mode in which Bluelog generates a web page of it's results which you can host with the HTTP daemon of your choice (Apache, lighttpd, etc). The idea is that showing results on an easy to read web page helps the less technically inclined understand the implications of discoverable Bluetooth devices out in the wild. Showing somebody a parse log file might not get their attention, but a real-time web page showing the same information is likely to generate a better response.

You could also use "Bluelog Live" as a public awareness tool at a convention or other public place were security-concious individuals might be gathering. Indeed, the "Wall of Sheep" was one of my primary inspirations for implementing the Live functionality in Bluelog.

"Bluelog Live" is fully skinnable through CSS, so you can make your own layout for whatever application or event you wish. Included with Bluelog is a CSS based on the DigiFAIL layout, and I have also put together a quick BackTrack theme:

DigiFAIL Theme

BackTrack Theme

To run "Bluelog Live", you will need to setup your web server to support SSI and accept index.shtml as a default page. This is just a few line changes in lighttpd, but does involve a bit more work under Apache. Check the README include with Bluelog for more specific installation information.

Bluetooth Traffic Monitoring

       Truth be told, I wasn't actually aware of the concept of Bluetooth traffic monitoring until companies started contacting me about using Bluelog in their products and research. Apparently, Bluelog's specific set of features (constant logging to disk, daemon mode, support for writing to syslog) make it the only open source project that lends itself to traffic monitoring.

The basic idea is that you deploy (at least) two devices running Bluelog along a street at a known distance from each other and let them start scanning. You can then compare the timestamps on discovered devices between them and find average speed and travel time. The advantage of monitoring vehicle traffic with Bluetooth is that you only need to setup the receiving hardware and software, the people you are attempting to track provide the other end of the hardware setup without even knowing it.

Bluelog's use in traffic monitoring inspired my own successful research project, Operation Street Sweep.

Supported Hardware

       Bluelog should work with any USB Bluetooth device supported under Linux. I have tested it with the integrated Bluetooth hardware on Dell laptops, ridiculously cheap adapters from DealExtreme, and high-end devices like the AIRcable Host XR. Obviously more powerful devices will be able to detect targets at greater range, but scan speed is going to be the same no matter what you use. More powerful devices should help with name resolution though, for the simple fact that extended range will give you a larger window of time in which to receive a name query response (assuming the target, or your machine, is mobile).

There is also support for using different Bluetooth devices, such as in the case where you might have a powerful external Bluetooth device connected to a machine that has an internal Bluetooth radio, and want to scan with the better hardware. An alternate device is specified with the "-d" option, and can be given as either an HCI device (hci0, hci1, etc) or with the MAC of the device you wish to scan with. Note that Bluelog will fall back on automatic detection if the device you give it doesn't exist. This is an intentional feature to make Bluelog more reliable in automated setups, but can be tricky if you aren't reading the status messages. Be careful you don't pass the wrong device and end up scanning with your low-power radio accidentally.

Bluelog in the News

       Well, that might be a stretch. But Bluelog has gained a bit of popularity since I released it publicly. It was mentioned on the September 24th, 2010 edition of Space Rogue's Hacker News Network:

Hacker News Network

The 0.9.7 release also hit the front page of PacketStorm as their featured file for November 2nd, 2010:

PacketStorm

Downloads

Filename MD5 Size Date
bluelog-1.0.2.tar.gz f406d47ec94970be219cbb38f49402f9 64K 2012-02-10
bluelog-1.0.1.tar.gz 5761667f370556dd76cba5200027d028 64K 2012-01-31
bluelog-1.0.0.tar.gz a55ae4aade776d3412ae90dcc57f4e0c 76K 2011-12-19
bluelog-0.9.9.tar.gz bf993816df7ec1e7b1759ea2c70b82c4 60K 2011-05-15
bluelog-0.9.8.tar.gz 67a7fa622368663514fd51a32aa13884 56K 2010-11-30
bluelog-0.9.7.tar.gz c2f7cbd3471c1c5e28c760524233af5f 56K 2010-10-29
bluelog-0.9.6.tar.gz 2708480462c59ee983dddee1f75b2611 48K 2010-07-11
bluelog-0.9.5.tar.gz 05ff4f841910ef3eda8e1bfd42220b89 44K 2010-06-21
bluelog-0.9.4.tar.gz 1221e57d376a6be92afcb5be280688c9 36K 2010-06-18
bluelog-0.9.3.tar.gz faa4a3a237e85d72fc0906640f19cbc8 20K 2010-06-16
bluelog-0.9.2.tar.gz 37556a1acd1873f5031a1d2dc656dcb0 12K 2010-06-13
bluelog-0.9.1.tar.gz 6ce04dbd928cb497f087de112b2d3b6b 12K 2010-05-10