It works by reconstructing the PIN and link key with data sniffed during a pairing exchange.
The calculated PIN can then be used to authenticate against a device in pairing mode. During a normal bluetooth pairing process, the two devices involved establish a relationship by creating a shared secret known as a link key. If you gain access to the link key, almost everything is possible!
You can passively decrypt the traffic between the two devices or, connect to the Slave device pretending to be the Master and have full access and the other way round by connecting to the master pretending to be one of the slaves only to have full access. Even better, you could just pair with a bluetooth capable machine and have a remote encrypted stealth channel to that machine!
Whats more is that BTCrack also supports the Field-programmable Gate Array (FPGA). This makes it a bit faster than it’s previous versions. BTcrack was actually demoed and realeased at Hack.lu 2007 and 23C3 in Berlin. So yes, it has been a good 4 years since it’s inception.
The only problem is that if you want to capture the pairing data it is necessary to have a professional bluetooth analyzer. BTCrack comes in two versions – one for Windows and the other open source version for *NIX operating systems. On a normal P4 2Ghz Dual Core machine, you can achieve cracking speeds of upto 200.000 keys/sec. If you have a FPGA compliant device like a FPGA E14, then you can even crack at a speed of about 30.000.000 keys/sec!
Download BTCrack 1.1 (btcrack.zip)
Download the open source Linux port – BTCrack OSS (BTCrack_OSS.tar)