Long-range Bluetooth Wardriving Rig

bluetooth_wardriving

[Kyle] was digging through a box of junk he had lying around when he came across an old USB Bluetooth dongle. He stopped using it ages ago because he was unsatisfied with the limited range of Bluetooth communications.

He was going to toss it back into the box when an idea struck him – he had always been a fan of WiFi wardriving, why not try doing the same thing with Bluetooth? Obviously the range issue comes into play yet again, so he started searching around for ways to boost his Bluetooth receiver’s range.

He dismantled the dongle and found that the internal antenna was a simple metal strip. He didn’t think there would be any harm in trying to extend the antenna, so he soldered an alligator clip to the wire and connected the CB antenna in his truck. His laptop sprung to life instantly, picking up his phone located about 100 feet away in his house. He took the show on the road and was able to pick up 27 different phones set in discoverable mode while sitting in the parking lot of a fast food chain.

While it does work, we’re pretty sure that the CB antenna isn’t the most ideal extension of the Bluetooth radio. We would love to see what kind of range he would get with a properly tuned antenna.

Keep reading to see a quick demonstration of his improvised long-range Bluetooth antenna.

[youtube=http://www.youtube.com/watch?v=RtIKzhHcInk&w=470]

56 thoughts on “Long-range Bluetooth Wardriving Rig

  1. Oh c’mon, any lack of perfect fitness for purpose on the part of the antenna is obviously more than compensated by sheer awesome. The only thing that’d make it better is if he set the laptop on the roof of the cab, stood in the bed, and got a friend to drive.

  2. The real question is can he ping the phone.

    with wifi, a huge antenna doesn’t mean it can reliably talk to devices super far away. i assume the same thing applies here.

    regardless it’s a great ghetto hack. i have the same adapter in a drawer somewhere…

  3. There is really no range problem with Bluetooth, assuming you are using the appropriate hardware. Using the AIRcable Host XR with 9 dBi antenna, I can detect Bluetooth devices at better than 250 meters, and with a directional antenna I can target individual devices all the way out to ~360 meters. When scanning at public places like malls, I pick up a couple hundred devices per hour.

    With a pair of directional antennas (rather than trying to focus on the wimpy antenna inside of a cell phone), ranges of multiple miles is no problem. Truth be told, 100 feet is a rather miserable result. A Class 1 Bluetooth device should be able to do nearly 300 feet without any special antennas.

    Though like the other commenters, I guess the biggest surprise for me on this one is that it worked at all.

  4. Apparently the theoretical optimal antenna lengths are full wave, half wave, and quarter wave.. So that’s 12.5 cm, 6.25 cm and 3.125 cm respectively.

    But I’m not sure if (for receiving) multiples of full wavelengths are better or not.

  5. @Jordan, both WiFi and Bluetooth require a somewhat stable signal before an SSID or device name is visible. Chances are if he can pickup devices that don’t have names which come up as gobbledegook then you can get a ping through.

    The real question is can you ping through with a large packet, and that waits to be seen, however even if you can’t send a large packet it’s not the end of the world either.

    I can send a 65500 byte ping to a local device on the network but I can’t get one that size to google, this doesn’t mean that my link to Google is broken, it works just fine.

  6. I think the unshielded pigtail and alligator clip are probably closer to 12cm full wave than the trace antenna which might have low range intentional design element.

  7. Honestly what he did is worst case scenario by any RF engineering, this shows that internal antenna was deliberately crippled. It shoking how manufacturer manage to cripple it beyond worst case scenario

  8. Could this be used to spam people? Perhaps name your bluetooth dongle “spamsite.com”? Would the devices that are in discoverable mode be prompted if they would like to pair with “spamsite.com”. If you can prompt a couple hundred devices per hour, this is a pretty effective way to advertise locally. Probably doesn’t work this way though. Oh well.

  9. Bluetooth proximity marketing is a growing market, especially in Europe. It works more or less as you say, a computer is setup to attempt to connect to as many discoverable Bluetooth devices it can find.

    In some cases it could be just to get the device name out there (as in the case of a URL), but there are a great many phones out there that will actually accept images and audio files from non-paired devices, so it’s possible to push those out for marketing purposes as well.

  10. I was about to blast the whole idea, as we’re dealing with microwave frequencies using inappropriate techniques from 1940’s HF radio, but I seem to be the only one concerned, so screw it.

    Congrats on the luck.
    I see nothing here that says skill.

  11. OK. I’ve spent some time now making antennas for a hobby. A CB antenna will not work effectively for bluetooth. Bluetooth works on the 2.4Ghz band. Way different then 26-27Mhz CB antenna. Really he should have used a high gain wifi antenna.

    Also playing with 2.4Ghz is not a great idea. 2.4Ghz is very close to the frequency that a microwave oven uses.

  12. Also keep in mind that a Bluetooth device is a unlicensed device that falls under FCC Part 15 guidelines. By doing this modification you may be violating those guidelines. Not to mention that wardriving is against the 2001 DSP Act.

  13. Aaaaaand that’s why my bluetooth is always off on the phone when I’m not actually transferring files. Not so much because of “bluesnipers” – but marketers? Never!

  14. @strdier_mt2k:

    What luck? He set out to see if something worked and succeeded. Microwave frequencies true, transmitted power is still super tiny, so I don’t see your problem.

    What are you referring to as skill? It isn’t always about knowing what you are doing as it is about trying different things and seeing what kind of outcome you will have. Some of the world’s greatest inventions were discovered by people that had no idea what they were doing, just a little imagination and the time to try things out.

    I think that your just jealous…

  15. April fools? I mean you can extend the range – but with an alligator clip and a freaking CB antenna? (that has a filter to weed out stuff outside the very low CB band)
    I call BS.

  16. Here’s how it went in my mind…”Once strider_mt2k clicked submit on his post, he went back to his lab table to once again admire his creation. He muttered, “some hack gets lucky connecting bluetooth to a cb antenna, that’s not skill. I’ve spent hundreds of hours on my microwave research and sent thousands of ideas to hackaday only to be passed up for some lucky hack. They shall all recognize my skill when I reveal the 1940’s HF Radio Microwave Obliteratorinator and unleash it’s power upon the entire tristate area!!! Bwahaha!!!””

  17. I want to do this sort of thing with my nano-wireless-N thingamajig ( http://www.edimax.com/en/produce_detail.php?pd_id=347&pl1_id=1&pl2_id=44 ), which has the little wavy metal strip for the antenna. did he seriously just solder the strip to a wire, or break the strip in half, soldering one wire to each end? because i only see one wire here, plus i wouldn’t want to do it that way, because i already pick up bluetooth at the tested distance, with internal antennae.

  18. Could not help myself but join this thread – aside the hack itself, some of responses are borderline useful (giving a good hint but then stopping short and not giving away any knowledge), some are behind the borderline misleading or even wrong.

    Some people have hinted the wave length vs. antenna length, some have even mentioned SWR without elaborating any further.

    Then there was comparison of “pinging” over “bluetooth + alligator” vs. pinging Google.

    So, to add to this this mish-mash, and hopefully motivate those that know more to tell us more, just some random comments from me.

    1) Antenna length vs. Wave length vs. Impedance vs. vs. SWR vs. destroying your device:

    Google is your friend. There are many web sites that can help you with above, see this one for example:
    http://www.antenna-theory.com/antennas/dipole.php

    What’s relevant for this discussion is how the “impedance” of you antenna changes with the antenna relative size (comparing to the wave length of your signal). Impedance is low (relative term) for 0.5 wave length, 1.5, 2.5, … and very high for 1, 2, 3, …

    Why would one care? Good question. That leads me to SWR (Standing Wave Radio). Do some googling for more, but in a word or two, it’s how much energy one sends to the load (antenna), “returns” back to transmitter, because those two do not have impedances matched. The best case being equal impedances on both sides.

    How does it affect this hack – less on the receiving, more on the transmitting side. Again, oversimplified, but when you have a receiver, you don’t care that much about SWR as you are using “voltage”, not “wattage” – receiver needs electrical signal induced in the wire (“volts”), while you want transmitter to send as much energy as possible (volts and amperes = watts).

    Receiver is usually a very high impedance in order to “preserve” as much of the signal antenna “collects”, and does not care about the reflected (lost) power.

    On the other side, transmitter’s role is to push out as much power as possible, and all the power that reflects back (remember SWR) dissipates (heats) the power transistor. There some other unwanted effects, but as this is an oversimplification, let’s say that in some cases high SWR actually CAN damage (destroy) your device.

    So, if you are experimenting with your receiver, to some extent, longer is better. If you are pushing out some power, keep in mind that you actually can make some harm.

    Now “ping” vs. “ping”.

    As I see it, the original question was “can you actually ping remote phone”, as in “can you transmit anything useful and that actually gets to the other side?” (power, signal strength, transmission errors, ….), but somehow that got transposed to being able to do 64k ping (ICMP) packets on the local network vs. over the Internet (Google).

    Other then that those two “pings” are meaning different things, using different protocols, and doing different “functionality”, there might be some merits in comparison (well not quite, but bare with me) – many network and application protocols are able to adopt the packet size – large packets are “faster” (less overhead), but require an ideal transmission channel, small packets are more appropriate for crappy networks.

    In other words, if BTs “ping” can manage all the functionality with small packets, negative effects (retries) of transmission errors can be overcome without timing out (abandoning) attempt. Like “you can ICMP ping with small packet if you can’t with long”, but analogy ends there :)

    Back to my boring conf call, sorry for this long rant :)

  19. @HamOper
    Wardriving in it’s original definition is not illegal. http://www.renderlab.net/projects/wardrive/ethics.html Now FOX news or CNN would probably like you to believe different, but that’s just for their own gain. They also say all hackers are evil…. I’ve been an active wardriver since early 2001, and have never connected to any of the 52,000 networks I’ve discovered. It would be pretty hard for a wifi adapter in monitor mode to connect, and I’m usually going by too fast to connect anyway. Until recently, monitor mode for bluetooth wasn’t possible, and still requires specialized hardware. So “wardriving” with this bluetooth adapter won’t work with the stated guidelines, since you need to “knock” for the device to respond. Most, I’d say 95% of the bluetooth devices out there don’t talk unless they’re actively being used, or are in pairing mode. With that said, it is kinda fun to drive around town with a bluetooth discovery tool running and seeing how many cars are looking for something to pair with.

  20. Viewing from RF his CB antenna not even connected to blue-tooth, he don’t connect ground and 50Ohm TV cable look like short circuit to 2.4Ghz. what really happening is shielding of coax cable act like ferrite rings blocking any signal going to antenna.So cable before alligator clip become antenna itself this short piece of wire looks much close to wavelength. So he did get lucky

  21. @therian I briefly thought roughly the same, but then realized it’s just one of those BS youtubes and we don’t have to think about how it could conceivably work since it’s 99.9% likely it’s just a hoax and not even some dumb success in the way you describe.

  22. …perhaps none of strider_mt2k’s hacks have been featured on HaD because hacks such as his/her 1940′s HF Radio Microwave Obliteratorinator are not the sort of hacks you ever see on hackaday, since hackaday never features such simple/easily doable hacks such as: how to hack into anyones garage door opener, how to hack anyone’s car key fob, and how to hack their car to run without their keys.. because Hackaday doesn’t promote this nefarious sort of hack. perhaps none of my hacks have been featured because they aren’t well documented because i’m just too lazy, or i never submitted them in the first place.

  23. but i really would like to see a guide to proper extension of crippled internal antennae on 2.4ghz devices, before i clip out the original squiggly antenna and solder a coax cable to the severed ends so i can improve my range with a REAL antenna.

  24. As stated by some others already; as with 802.11b/g, BT uses the 2.400-2.483 GHz ISM band. This obviously means that you can use the same antenna and amplifier hardware.

    I took this concept to the extreme a few years back using modified Linksys USBBT100 radios and an 802.11 amplifier + 24dBi parabolic antenna. I’ve uploaded a basic summary and pictures here:

    http://sapia.com.au/pub/bt/

  25. @HamOper: “Also playing with 2.4Ghz is not a great idea. 2.4Ghz is very close to the frequency that a microwave oven uses.”

    Are you suggesting that Bluetooth radiation must be dangerous because if it was 100,000 times more powerful it would heat food?

    The same is true of basically any electrical or radio technology. Ignoring the power level is not a great way to make safety decisions.

  26. @Miroslav

    Nice job on your informative post. However, there are a few factual issues. A receiver is not, at the antenna terminals, high impedance. The reason for this is that at every impedance mis-match energy is reflected. Therefore, a 50 ohm antenna system will be less efficient when connected to a high-impedance receiver because energy collected at the antenna would be reflected away from the receiver. That said, it is possible to use an impedance transformer within the receiver.

    It is also not necessarily true that the impedance of an antenna at 1 wave length is more than the impedance of an antenna of 1/2 wavelength. It is possible to create 50 ohm antennas of .25, .5, .875, 1. wavelengths, etc.

    All the discussion is very interesting. Something that I have to emphasize is that RF is very complex. Theory is far less complete than anyone would probably like to admit. As much as we “know” about it really only applies when all the rules are followed. You really only know how something is going to behave when you try it. I would love to attach an SWR meter to the system and see what it says. I’d like even more to use a vector network analyzer. It’s likely that this antenna system is acting more like a grounded loop. It’s possible that the large antenna is acting more like a “virtual ground” and the bluetooth is acting more like a resonant system relative to that virtual ground.

  27. @hpux735

    I can’t say that I disagree with your statement, just that my point was that, as a rule of thumb, high SWR can sometimes REALLY hurt tiyr transmitter, but not a receiver.

    On the receiver side, I have seen devices that were acting as a receiver only (not transcever), were getting feed from the full lambda antenna with very high impedance, and having high impedance itself.

    In transceivers, it’s usually not the case as teh antenna is expected to be 50 (75) ohm, so the RX get’s matched to it as well.

    High SWR with the RX (as I see it), have more problems with reflections caused by SWR, then by inefficient energy transfer – I don;t realy think getting all the uW is that important, but “seeing” all the uV is. Disregarding reflections (let’s say in lower ham bands), high impedance receiver will “pick up” twice the signal (in volts) then the one idealy matched with 50 ohm antenna.

    In regards to 50 ohm from 1 lamda, not sure how would you get it “directly” – transformes/baloons are another story, probably leaving boundaries of this hack :)

  28. @hpux735 actually it’s quite the opposite. RF theory is one of the most fundamentally well modeled phenomena in EE. RF engineers are about the only ones who can go from a simulator to production in one step and get exactly the results they were expecting. The rest of the analog circuit on the other hand you’ll be lucky if you don’t spend more time debugging than designing and simulating :)

  29. @Garbz

    I think we’ll have to agree to disagree. All the books on RF theory I’ve read have been very humble about what’s known and what’s knowable given current knowledge. I will agree that there are amazing tools, NEC, for example, but it’s still only a starting point. It’s still an iterative process. Fractal antenna are a good example. Also, how is RF anything but a strict superset of all analog circuits?

  30. @Garbz when you translate RF to real analog circuit there will be so much undocumented things that no simulator can produce even close results unless you limit yourself to very few passive only components

  31. He forgot to mention that he first converted his microwave to a time machine by placing a balloon covered with aluminium foil in it, then he used it to get a 24th century CB antenna and that’s what he’s using.
    Hope that solves the confusion :)

Leave a Reply to someoneCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.