Ubertooth One is an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation/hacking, created by Michael Ossmann and Dominic Spill from Great Scott Gadgets. It’s one of the best and cheapest hardware tool for BLE (Bluetooth Low Energy) network sniffing, real-time traffic monitoring and penetration testing.
History: The first hardware revision, called Ubertooth Zero, was demonstrated at ToorCon 12 on October 24th, 2010, but after a year it has been superseded. The current hardware revision, called Ubertooth One, was demonstrated at ShmooCon 7 on January 29th, 2011.
This small and very affordable BLE hacking tool is based on the powerful LPC175x ARM Cortex-M3 microcontroller with full-speed USB 2.0, the Ubertooth One is a great way to develop custom Class 1 comparable Bluetooth devices. The entire board is only 2.5 inches long with a USB-A connector at one end and an RP-SMA connector at the other.
You can use it to sniff raw BLE packets out and Wireshark to visualize them. In addition, the Ubertooth One can also be used as a 2.4Ghz spectrum analyzer.
Disclaimer: Use The Ubertooth One as a Spectrum analyzer for experimenting, but note that it has not been tested for compliance with regulations governing transmission of radio signals.
Ubertooth One: Open Source BLE Hacking Tool [specs, features, design]
- RP-SMA RF connector: connects to test equipment, antenna, or dummy load
- CC2591 RF front end
- CC2400 wireless transceiver
- LPC175x ARM Cortex-M3 microcontroller with Full-Speed USB 2.0
- USB A plug: connects to host computer running Kismet or other host code
- 2.4 GHz transmit and receive
- Transmit power and receive sensitivity comparable to a Class 1 Bluetooth device
- Standard Cortex Debug Connector (10-pin 50-mil JTAG)
- In-System Programming (ISP) serial connector
- Expansion connector: intended for inter-Ubertooth communication or other future uses
- Six indicator LEDs
Ubertooth One Design
- RST: indicates that the LPC175x is powered on. This should always be on during operation except during a full reset of the LPC175x (e.g., while entering ISP mode).
- 1V8: indicates that the CC2400 is being supplied with 1.8 V. Control of this supply depends on firmware. 1V8 power is required to activate the crystal oscillator which is required to activate USB.
- USB: indicates that USB has passed enumeration and configuration.
- TX: Control of this LED depends on firmware. It typically indicates radio transmission.
- RX: Control of this LED depends on firmware. It typically indicates radio reception.
- USR: Control of this LED depends on firmware.
Ubertooth One was designed in KiCad, an open source electronic design automation software package, with surface mount components suitable for reflow.
Hacking with Ubertooth One
If you are into Bluetooth hacking, then the Ubertooth One is the real-deal for you. It’s cheap ($100-120), well-documented and cross-platform (Linux, Windows, Mac OS X).
- You can use Wireshark network protocol software to analyze Bluetooth traffic (using Linux).
- It allows you to capture BLE packets without the users know their presence.
- It’s a fully open-source platform (software and hardware), the schematics and code are readily available for all of your hacking needs.
- The true power of Ubertooth One is the ability to write your own software to suit your needs.
- It can be used as Bluetooth spectrum analyzer in real time, and as a Bluetooth (LAP sniffing and Kismet) packets sniffer.
- It allows you to gain access to microphones in headsets or break into keyboards or mice, which enables remote access to the systems.
- You can also exploit smart locks, smart home systems, smart light bulbs, beacons and pretty much everything (BLE).
- Setting up is extremely straight-forward, there are detailed guides on official page. (Ubertooth One Github Wiki).
- You can also make your own Ubertooth (Hardware Build Guide).
There are a huge number devices which can be used for monitoring Bluetooth traffic, but one thing that sets the Ubertooth apart from other Bluetooth development platforms and Software Defined Radios (SDR) is that it’s capable of sending and receiving 2.4 GHz signals, it can operate in monitor mode, but also can be used for monitoring Bluetooth traffic in real-time.