What is Bluetooth?
Bluetooth is a universal protocol for low power, near field communication operating at 2.4 – 2.485 GHz using spread spectrum, frequency hopping at 1,600 hops per second (this frequency hopping is a security measure). It was developed in 1994 by Ericsson Corp. of Sweden and named after the 10th century Danish (Sweden and Denmark were a single country in the 10th century) King Harald Bluetooth.
The minimum specification for Bluetooth range is 10 meters, but there is no limit to the range that manufacturers may implement in their devices. Many devices have ranges as long as 100 meters. With special antennas, we can extend the range even farther.
Bluetooth Hacking refers to the attacks on Bluetooth-based communication. Bluetooth is a popular wireless technology which can be seen on almost every mobile device. Bluetooth Technology is used for short-range communication between devices. Bluetooth operates at 2.4 GHz frequency and can be effective up to 10 meters.
Bluetooth discovery feature enables the devices to be discoverable by another Bluetooth enabled devices. Discovery feature may be enabled for all the time as well as set up to be discoverable for a short period of time.
Tool For Bluetooth Hacking
The Linux implementation of the Bluetooth protocol stack is BlueZ. Most Linux distributions have it installed by default, but if not, you can usually find it in your repository. In our Kali-Linux as you would expect, it is installed by default.
BlueZ has a number of simple tools we can use to manage and eventually hack Bluetooth. These include:
- hciconfig :- This tool operates very similarly to ifconfig in linux, except that it operates on the Bluetooth devices. As you can see in the screenshot below, I have used it first to bring up the Bluetooth interface (hci0) and second, query the device for its specs.
- hcitool :- This is an inquiry tool. It can provide us with device name, device ID, device class, and device clock.
- hcidump :- This tool enables us to sniff the Bluetooth communication.
Bluetooth Hacking Attacks
Bluetooth Hacking – BlueSmacking
BlueSmack is the type of DoS attack for Bluetooth. In BlueSmacking. the target device is overflowed by the random packets. Ping of death is used to launch this Bluetooth attack, by flooding a large number of echo packets causes Dos.
Bluetooth Hacking – BlueBugging
BlueBugging is another type of Bluetooth attack in which an attacker exploits Bluetooth Device to gain access and compromise its security. Basically, BlueBugging is a technique to access the Bluetooth enabled device remotely. The attacker uses this to track victim, access the contact list, messages and other personal information.
Bluetooth Hacking – BlueJacking
BlueJacking is an art to send unsolicited messages to Bluetooth enabled devices. BlueJacking hacker can send messages, images and other files to another Bluetooth device.
BluePrinting is a techique or a method for extracting the information and details about a remote Bluetooth device. This information may be used for exploiting. Information such as firmware information, manufactures information, and device model. etc. can be extracted.
BlueSnarfing is another techique in which attacker theft the information from Bluetooth enabled devices. In BlueSnarfing, attackers exploit the security vulnerabilities of Bluetooth software and access Bluetooth enabled devices and steal information such as contact list, text messages, email, etc.
How to Snoop Bluetooth
Step1 – Enable Your Bluetooth Adapter with hciconfig
If you’re familiar with ifconfig for Wi-Fi cards and adapters, there is another tool that is similar for Bluetooth devices. And it’s called hciconfig.
Now that we know a little bit more about hciconfig, let’s go ahead and press Q to quit. We’ll need to take the Bluetooth device we’ve discovered and bring it up. Just type hciconfig, then the name of the device we found, and up.
Step2 – Scan for Bluetooth Devices with hcitool
Let’s take a look at some of these commands. First, we’ll do a scan. It will use the Bluetooth interface to scan for nearby Bluetooth devices and present their MAC addresses for us to do additional scans, inquiries, or attempt to get the name of the device.
Above, we see an Exploit-Byte Connecter which is connected to a vehicle. That’s pretty interesting. With the MAC address, we can now we can do another command that required us to have a MAC address in the first place. Let’s try getting the name of the device:
Step3 – Scan for Services with sdptool
Quit the man page, and let’s type sdptool then browse, followed by the MAC address we captured.
Here, we can see a little bit more information about the communications, the protocols, and perhaps we could even start to discover whether or not there’s a vulnerability in the device or if we’re able to communicate with it directly. We can maybe even find whether it’s using MAC address randomization or something like that.
Step4 – Ping Bluetooth Devices with l2ping
We don’t need to do anything fancy here, just ping the Bluetooth device as so:
This indicates that the device is within range and reachable.
Step5 – Scan for Bluetooth Devices with btscanner
You can see there’s not much to btscanner, and that’s because it’s a GUI tool, so all of the magic happens after running the tool, so let’s do that now:
The interface might look kind of similar to people who are familiar with the Kismet interface, which kind of allows us to do a lot of stuff in the command-line format with a GUI type of feel. It’s beneficial and cool because it means that by typing i, we can start doing an inquiry scan and find nearby Bluetooth devices, and it could allow us to connect or set a command or something like that.
We found a device, and it’s the same Bluetooth device we saw before, and I’m sure that we’ll be able to find some other devices as they roll in. For now, we can go ahead and press Enter to learn about the device.
Here, we can see the name of the device when it’s first seen, the owner, which is interesting, and then some more information about the various features that are being advertised.
How to Safe from Bluetooth Hacking
- Keep Checking Paired devices list.
- Keep your Bluetooth device Non-discoverable
- Don’t accept unknown or suspect-able requests.
- When idle, Keep you Bluetooth disabled.