How to Hack Bluetooth, Part 1: Terms, Technologies, & Security

Welcome back, my novice hackers!

This new series on Bluetooth hacking was inspired by a recent episode of Mr. Robot (my favorite TV show). In episode 6, Eliot hacked the bluetooth keyboard of the police office in order to hack the prison and release his nemesis, Vera. This is just one of the many hacks we will explore in the series.

Today, Bluetooth is built into nearly all our gadgets. These include our computers, smartphones, iPods, tablets, speakers, game controllers, and many other devices. In this series, we will be focused on hacking mobile devices, tablets, and phones as they are the most fertile ground for hackers. The ability to hack Bluetooth can lead to the compromise of any information on the device (pictures, emails, text, etc.), control of the device, and the ability to send unwanted info to the device.

Before we start hacking Bluetooth, though, we need to understand the technology, the terms, and the security that is built into Bluetooth, if we want to successfully hack it. In a short article like this, I can't convey an in-depth understanding of Bluetooth, but I do think I can give you a basic knowledge that you can use in subsequent tutorials/hacks.

Bluetooth Basics

Bluetooth is a universal protocol for low power, near field communication operating at 2.4 - 2.485 GHz using spread spectrum, frequency hopping at 1,600 hops per second (this frequency hopping is a security measure). It was developed in 1994 by Ericsson Corp. of Sweden and named after the 10th century Danish (Sweden and Denmark were a single country in the 10th century) King Harald Bluetooth.

The minimum specification for Bluetooth range is 10 meters, but there is no limit to the range that manufacturers may implement in their devices. Many devices have ranges as long as 100 meters. With special antennas, we can extend the range even farther.

When two Bluetooth devices connect, this is referred to as pairing. Nearly any two Bluetooth devices can connect to each other. Any discoverable Bluetooth device transmits the following information:

  • Name
  • Class
  • List of services
  • Technical information

When the two devices pair, they exchange a pre-shared secret or link key. Each stores this link key to identify the other in future pairing.

Every device has a unique 48-bit identifier (a MAC-like address) and usually a manufacturer assigned name.

Here is a diagram of the Bluetooth pairing process. Although much more secure in recent years, it is still vulnerable as we will see in future tutorials in this series.

Bluetooth devices create what is called a piconet or very small net. In a piconet, there is one master and up to seven active slaves. Because Bluetooth uses frequency hopping (frequencies change 1,600 times per second), these devices' communication doesn't interfere with each other as the chances of two devices using the same frequency is very small.

Basic Linux Bluetooth Tools

The Linux implementation of the Bluetooth protocol stack is BlueZ. Most Linux distributions have it installed by default, but if not, you can usually find it in your repository. In our Kali Linux, as you would expect, it is installed by default.

BlueZ has a number of simple tools we can use to manage and eventually hack Bluetooth. These include:

  • hciconfig: This tool operates very similarly to ifconfig in Linux, except that it operates on the Bluetooth devices. As you can see in the screenshot below, I have used it first to bring up the Bluetooth interface (hci0) and second, query the device for its specs.
  • hcitool: This is an inquiry tool. It can provide us with device name, device ID, device class, and device clock.
  • hcidump: This tool enables us to sniff the Bluetooth communication.

Bluetooth Protocol Stack

The Bluetooth protocol stack looks like this.

Bluetooth devices don't need to use all the protocols in the stack (like the TCP/IP stack). The Bluetooth stack is developed to enable use of Bluetooth by a variety of communication applications. Generally, an application will only use one vertical slice of this stack. The Bluetooth protocols layer and their associated protocols are listed below.

  • Bluetooth Core Protocols Baseband: LMP, L2CAP, SDP
  • Cable Replacement Protocol: RFCOMM
  • Telephony Control Protocol: TCS Binary, AT-commands
  • Adopted Protocols: PPP, UDP/TCP/IP, OBEX, WAP, vCard, vCal, IrMC, WAE

In addition to the protocol layers, the Bluetooth specification also defines a host controller interface (HCI). This provides a command interface to the baseband controller, link manager, and access to hardware status and control registers, hence the name of the tools above such as hciconfig, hcidump, and hcitool.

Bluetooth Security

Bluetooth security is based upon a few techniques. First, frequency hopping. Both the master and slave know the frequency hopping algorithm, but the outsider does not. Second, a pre-shared key exchanged at pairing that is used for authentication and encryption (128-bit). There have been three security modes for Bluetooth. These are:

  1. Security Mode 1: No active security.
  2. Security Mode 2: Service level security. Centralized security manager handles authentication, configuration, and authorization. May not be activated by user. No device level security.
  3. Security Mode 3: Device level security. Authentication and encryption based on secret key. Always on. Enforces security for low-level connection.

Bluetooth Hacking Tools in Kali

We have several Bluetooth hacking tools built into Kali that we will be using throughout this series, as well as others that we will need to download and install. We can find the installed Bluetooth tools by going to Applications -> Kali Linux -> Wireless Attacks -> Bluetooth Tools.

There, we will find several tools for attacking Bluetooth. Let's take brief look at each of them.

  • Bluelog: A bluetooth site survey tool. It scans the area to find as many discoverable devices in the area and then logs them to a file.
  • Bluemaho: A GUI-based suite of tools for testing the security of Bluetooth devices.
  • Blueranger: A simple Python script that uses i2cap pings to locate Bluetooth devices and determine their approximate distances.
  • Btscanner: This GUI-based tool scans for discoverable devices within range.
  • Redfang: This tool enables us to find hidden Bluetooth device.
  • Spooftooph: This is a Bluetooth spoofing tool.

Some Bluetooth Attacks

  • Blueprinting: The process of footprinting.
  • Bluesnarfing: This attack takes data from the Bluetooth-enabled device. This can include SMS messages, calendar info, images, the phone book, and chats.
  • Bluebugging: The attacker is able to take control of the target's phone. Bloover was developed as a POC tool for this purpose.
  • Bluejacking: The attacker sends a "business card" (text message) that, if the user allows to be added to their contact list, enables the attacker to continue to send additional messages.
  • Bluesmack: A DoS attack against Bluetooth devices.

Now that we have a basic understanding of Bluetooth terms, technologies, and security, we can begin to explore ways to break and hack Bluetooth. So keep coming back, my novice hackers!

Cover image via Shutterstock

24 Comments

Thank you Sir for this new series. May I ask you why haven't you switched to Kali 2? thanks again!

I think a better question is "Why have you switched to Kali 2? Because it is newer?

Exactly... I like kali 1 better!!.. its personal preference

Why don't you give ParrotSec a try brother?

Because Parrot is bad writed and has a very poooor community

It has borned as alternative to kali but the developer (eclipse) was able (more and more time) to broke a stable debian distro.

In addition he writed a script for anonymouse surfing trought TOR, but this script was bugged and expose the real identity of users ....it's enough ? ahha

No, I haven't yet but the interface is a bit better. I know you notice some flaws in 2.0 and no doubt there are, but for me as a "greenhorn hacker nor do I notice them nor are they a big obstacle. But you know better and I'm sure If I was more experienced those would bother me aswell. Thanks

As always a good article! Does Bluesnarfing only work on security level 1?

Finally a series on Bluetooth hacking. Thanks a lot!

I like kali 2 because of the more familiar gui and the fact that it's rolling release

Ahhh that MR,Robot :D

When I upgrade kali, it would because of metasploit

You can upgrade Metasploit without upgrading Kali. Simply type;

>msfupgrade

Okay. Since msf in Kali 2.0 opens fast due to the latest version of ruby, does that mean I should upgrade ruby as well

It opens fast because Ruby has been upgraded.

Really this web needed this
I Hopping have continue

Sir OTW, could you list the BT adapter you're using for this tutorial?

I have several, but in this article I was using the Panda BT 4.0

Master OTW,
u r my guru in hacking world u r like GURU DRONE for ME. i hope u knw the story of DRONA and EKLAVYA.

i have read all ur post on Linux Basics, many networking posts etc. and i feel very confident in this world,though careful too.

i think bluetooth hacking is lot safe than other type of hacking as there is no threat of network administrator and this tech is less secure till date.overmore ppl are still lot careless abt bluetooth.

the sad part is there are not even a single post neither on null byte nor any other site that explains bluetooth hacking in detail(just meaningless syntaxes)

i am very much glad that u started the first series and curiously waiting for the second which i hope will deal with the hacking in detail.I like that u explain the syntaxes which help me to knw why i use this and that letter instead of something else.

Pls!!!!!!!!!!! bring the second part of this article ASAP ,,, CANT WAIT.PLS!!!!!

Im still a noob but im getting a feedback of "Can't get device info: No such device." Could someone please tell me what I'm missing?

Can you be specific? What are you trying to do?

I type in terminal: "hciconfig hci0 up" and it gave me the ^ output.

I quit parallels and went to the settings for kali linux and turned on automatic sharing for bluetooth devices. Rebooted Linux and typed "hciconfig" in the terminal. it gave me hci0 with its properities. I then typed "hciconfig hci0 up" and gave me "cannot init device hci0: invalid request code (56)"

James:

I'm not sure why that is happening. Are you using Kali 2.0?

Yes, apparently that's what I downloaded. I appreciate your help, it means a lot, but if I figure out a way around it, I'll post on this thread.

Share Your Thoughts

  • Hot
  • Latest