How to Hack Bluetooth, Part 1: Terms, Technologies, & Security
Welcome back, my novice hackers!
This new series on Bluetooth hacking was inspired by a recent episode of Mr. Robot (my favorite TV show). In episode 6, Eliot hacked the bluetooth keyboard of the police office in order to hack the prison and release his nemesis, Vera. This is just one of the many hacks we will explore in the series.
Today, Bluetooth is built into nearly all our gadgets. These include our computers, smartphones, iPods, tablets, speakers, game controllers, and many other devices. In this series, we will be focused on hacking mobile devices, tablets, and phones as they are the most fertile ground for hackers. The ability to hack Bluetooth can lead to the compromise of any information on the device (pictures, emails, text, etc.), control of the device, and the ability to send unwanted info to the device.
Before we start hacking Bluetooth, though, we need to understand the technology, the terms, and the security that is built into Bluetooth, if we want to successfully hack it. In a short article like this, I can't convey an in-depth understanding of Bluetooth, but I do think I can give you a basic knowledge that you can use in subsequent tutorials/hacks.
Bluetooth is a universal protocol for low power, near field communication operating at 2.4 - 2.485 GHz using spread spectrum, frequency hopping at 1,600 hops per second (this frequency hopping is a security measure). It was developed in 1994 by Ericsson Corp. of Sweden and named after the 10th century Danish (Sweden and Denmark were a single country in the 10th century) King Harald Bluetooth.
The minimum specification for Bluetooth range is 10 meters, but there is no limit to the range that manufacturers may implement in their devices. Many devices have ranges as long as 100 meters. With special antennas, we can extend the range even farther.
When two Bluetooth devices connect, this is referred to as pairing. Nearly any two Bluetooth devices can connect to each other. Any discoverable Bluetooth device transmits the following information:
- List of services
- Technical information
When the two devices pair, they exchange a pre-shared secret or link key. Each stores this link key to identify the other in future pairing.
Every device has a unique 48-bit identifier (a MAC-like address) and usually a manufacturer assigned name.
Here is a diagram of the Bluetooth pairing process. Although much more secure in recent years, it is still vulnerable as we will see in future tutorials in this series.
Bluetooth devices create what is called a piconet or very small net. In a piconet, there is one master and up to seven active slaves. Because Bluetooth uses frequency hopping (frequencies change 1,600 times per second), these devices' communication doesn't interfere with each other as the chances of two devices using the same frequency is very small.
The Linux implementation of the Bluetooth protocol stack is BlueZ. Most Linux distributions have it installed by default, but if not, you can usually find it in your repository. In our Kali Linux, as you would expect, it is installed by default.
BlueZ has a number of simple tools we can use to manage and eventually hack Bluetooth. These include:
- hciconfig: This tool operates very similarly to ifconfig in Linux, except that it operates on the Bluetooth devices. As you can see in the screenshot below, I have used it first to bring up the Bluetooth interface (hci0) and second, query the device for its specs.
- hcitool: This is an inquiry tool. It can provide us with device name, device ID, device class, and device clock.
- hcidump: This tool enables us to sniff the Bluetooth communication.
The Bluetooth protocol stack looks like this.
Bluetooth devices don't need to use all the protocols in the stack (like the TCP/IP stack). The Bluetooth stack is developed to enable use of Bluetooth by a variety of communication applications. Generally, an application will only use one vertical slice of this stack. The Bluetooth protocols layer and their associated protocols are listed below.
- Bluetooth Core Protocols Baseband: LMP, L2CAP, SDP
- Cable Replacement Protocol: RFCOMM
- Telephony Control Protocol: TCS Binary, AT-commands
- Adopted Protocols: PPP, UDP/TCP/IP, OBEX, WAP, vCard, vCal, IrMC, WAE
In addition to the protocol layers, the Bluetooth specification also defines a host controller interface (HCI). This provides a command interface to the baseband controller, link manager, and access to hardware status and control registers, hence the name of the tools above such as hciconfig, hcidump, and hcitool.
Bluetooth security is based upon a few techniques. First, frequency hopping. Both the master and slave know the frequency hopping algorithm, but the outsider does not. Second, a pre-shared key exchanged at pairing that is used for authentication and encryption (128-bit). There have been three security modes for Bluetooth. These are:
- Security Mode 1: No active security.
- Security Mode 2: Service level security. Centralized security manager handles authentication, configuration, and authorization. May not be activated by user. No device level security.
- Security Mode 3: Device level security. Authentication and encryption based on secret key. Always on. Enforces security for low-level connection.
We have several Bluetooth hacking tools built into Kali that we will be using throughout this series, as well as others that we will need to download and install. We can find the installed Bluetooth tools by going to Applications -> Kali Linux -> Wireless Attacks -> Bluetooth Tools.
There, we will find several tools for attacking Bluetooth. Let's take brief look at each of them.
- Bluelog: A bluetooth site survey tool. It scans the area to find as many discoverable devices in the area and then logs them to a file.
- Bluemaho: A GUI-based suite of tools for testing the security of Bluetooth devices.
- Blueranger: A simple Python script that uses i2cap pings to locate Bluetooth devices and determine their approximate distances.
- Btscanner: This GUI-based tool scans for discoverable devices within range.
- Redfang: This tool enables us to find hidden Bluetooth device.
- Spooftooph: This is a Bluetooth spoofing tool.
- Blueprinting: The process of footprinting.
- Bluesnarfing: This attack takes data from the Bluetooth-enabled device. This can include SMS messages, calendar info, images, the phone book, and chats.
- Bluebugging: The attacker is able to take control of the target's phone. Bloover was developed as a POC tool for this purpose.
- Bluejacking: The attacker sends a "business card" (text message) that, if the user allows to be added to their contact list, enables the attacker to continue to send additional messages.
- Bluesmack: A DoS attack against Bluetooth devices.
Now that we have a basic understanding of Bluetooth terms, technologies, and security, we can begin to explore ways to break and hack Bluetooth. So keep coming back, my novice hackers!