The Hacks of Mr. Robot: How to Hack Bluetooth

How to Hack Bluetooth

Welcome back, my novice hackers!

Episode 6 of Mr. Robot has come and gone and, as usual, it did not disappoint. Once again, our hero, Elliot, has used his extraordinary intellect and hacking skills to awe and inspire us.

In this episode, Elliot is being blackmailed by the ruthless and unrelenting drug dealer, Vera, to hack him out of jail. He is holding Elliot's new love interest, Shayla, hostage and has given Elliot until midnight to hack the jail's computer system in order to release him.

Elliot tries to explain to Vera that such a hack can't be done in a matter of hours, but rather days or weeks to find a security vulnerability that he can exploit. Vera, being the vicious and feeble-minded killer that he is, will not relent to give Elliot more time. As a result, Elliot has to attempt some less-than-optimal techniques to try to hack Vera out of jail to save the lovely Shayla (as you remember, Shayla is also his morphine supplier).

Malicious Flash Drive

In his first attempt to hack the jail, Elliot has Darlene, his friend and nemesis from f/society, "accidentally" drop infected flash drives outside the jail. The strategy here is that if someone inside the jail's network picks one up and inserts it into their computer system, which will then inject malware and give Elliot a connection on the outside.

As expected, a dimwitted corrections officer does pick one up and inserts it into his computer. Elliot is able to get a SSH connection to it, but before he is able to do anything, the AV software detects it and disconnects Elliot. Elliot then chides Darlene as a "script-kiddie" for using a well-known malware from Rapid9 (a reference to Metasploit's developer, Rapid7) rather than develop a new exploit, and Darlene defends herself saying "I only had one hour." (She could have possibly re-encoded it with Veil-Evasion and it might have gone past the AV software undetected.)

Some have questioned whether this approach could work. Before the disabling of the automatic autorun feature on modern operating systems, you could have an EXE file on the flash drive that would automatically execute. On a modern OS, autorun is disabled by default.

We might assume that this machine had the autorun feature enabled or, more likely, Darlene had installed the malware on a flash drive that has been reprogrammed to emulate a USB keyboard. When the flash drive is installed on the system, the operating system then recognizes the flash drive as a USB keyboard, giving it access with the rights of the logged in user and then injects its malicious code into the operating system. So, this approach may have worked had Darlene re-encoded the malware with Veil-Evasion.

Hack WPA2

While Elliot is visiting Vera in jail, he brings his phone with him, on which he has installed a Wi-Fi scanner app. With that scanner, he can see all the Wireless APs and sees that they are all secured with WPA2. Although he knows he can crack WPA2, he recognizes that the short time frame he is working with is inadequate to brute-force WPA2.

In the process of scanning wireless hotspots and encryption technologies with his phone, Elliot sees a Bluetooth connection when a corrections officer's car drive ups near him.

That spurs Elliot into a new strategy, namely, hack the Bluetooth and enter the prison's computer system via the cop car's dedicated cellular connection to the prison!

Hacking a Bluetooth Keyboard

Elliot's strategy here is to spoof the cop car's Bluetooth connection to his keyboard. If he can make the laptop believe that his keyboard is actually the cop's keyboard, he can control the cop's laptop and get inside the prison's network. Once inside the network, he can upload malware to take control of the prison's digitally-controlled systems.

Step 1: Enable Bluetooth

Before Elliot can do anything, he needs to enable Bluetooth on his Linux hacking system by starting the bluetooth service:

kali > service bluetooth start

Next, he needs to activate the Bluetooth device:

kali > hciconfig hci0 up

Then he checks to see if it is actually working, as well as its properties, by typing:

kali > hciconfig hci0

Please note the "BD Address" in second line—this is the MAC address of the Bluetooth device.

Step 2: Scan for Bluetooth Devices

The first thing Elliot does in this hack is to scan for Bluetooth connections. If you look closely at Elliot's screen, you can see that he is using hcitool, a built-in Bluetooth configuration tool in Kali Linux. Although this works, I have had better success with btscanner, a built-in Bluetooth scanner with a rudimentary GUI. To use it, simple type:

kali > btscanner

Then select "i" to initiate an inquiry scan. You can see the results below.

Using btscanner, we can get a list of all the Bluetooth devices in range. This one here has a MAC address and a name of "Tyler"—to spoof this device, we must spoof the MAC address and name of the device.

This is how Elliot gets the MAC address and name of the Bluetooth device in the cop's car. Remember that Bluetooth is a low-power protocol with a range of just about 10 meters (although with a directional antenna, distances as much as 100 meters have been achieved).

Step 3: Spoof the MAC Address of the Keyboard

Now that Elliot has the name and MAC address of the cop's keyboard, he will need to spoof it by cloning the cop's keyboard with this info. Kali Linux has a tool designed to spoof Bluetooth devices called spooftooph. We can use it to spoof the keyboard with a command similar to this:

kali > spooftooph -i hci0 -a A0:02:DC:11:4F:85 -n Car537

  • -i designates the device, in this case hci0
  • -a designates the MAC address we want to spoof
  • -n designates the name of the device we want to spoof, in this case "Car537"

If we do it right, our Bluetooth device will spoof the MAC address and name of the cop's computer-Bluetooth device.

To check to see whether we were successful, we can use hciconfig followed by the device and the switch "name" that will list the name of the device. Remember, this is our Bluetooth device that we are trying emulate with the cop car's Bluetooth device. If we are successful, it will have the same MAC address and name of the cop's Bluetooth device.

kali > hciconfig hci0 name

Now, we have a Bluetooth device that is a perfect clone of the cop car's Bluetooth keyboard!

Step 4: Link Bluetooth Device to the Cop's Laptop

Now, here is where reality and the Mr. Robotstoryline diverge. Mr. Robot's hacking is very realistic, but even in this show, the director takes some literary license. That's allowed—creative works should be not limited by reality.

For Eliot to now connect to the cop car's laptop, he would need the link-key (this is a key to identify the previously-paired Bluetooth device) that was exchanged between the keyboard and the Bluetooth adapter on the laptop.

He could guess it (unlikely) or crack it, but it won't be as fast as it appeared in the show. Another possibility is that when the system rebooted or the keyboard was disconnected, Elliot could connect to the laptop as it is a clone of the cop's keyboard. In either case, it would take more time than Elliot had in this episode to hack the cop's Bluetooth keyboard.

Step 5: Hack the Prison

In the final step, Elliot uses the cop's hacked computer to upload malware via FTP that will give him control of the prison cell doors. Few people realize that prisons and other industrial systems, often referred to as SCADA, are very hackable.

The Stuxnet hack of Iran's uranium enrichment facility was very similar to this. These industrial system have PLCs that are basically digital controllers. Presumably, this prison had PLCs controlling the prison cell doors (a very reasonable assumption) and Elliot's malware infected them and gave him control, enabling him to open all the cells, releasing Vera and all the other prisoners.

Don't miss my series on hacking Bluetooth, and make sure to check out my other Mr. Robot's hacks to see more of what Elliot has accomplished. Keep coming back for more, my novice hackers!

Just updated your iPhone? You'll find new features for TV, Messages, News, and Shortcuts, as well as important bug fixes and security patches. Find out what's new and changed on your iPhone with the iOS 17.6 update.

45 Comments

This is actually a fun and awesome way to learn isnt it??!!

Nicely done !! ;))

Veil Evasion was the first thing I thought after it was detected. I thought Darlene would know about it, she's an exploit developer!

For this hack, is it necessary any special equipment? Or a regular USB antenna will do?

You just need a bluetooth on your machine. In the show, Elliot uses a special Bluetooth dongle that can connect like a keyboard to mobile devices such as phones and tablets but not laptops, so its a bit unreal.

How quickly could the link-key be bruteforced? If i recall correctly there are only 9999 possibilities. Is it possible to capture the encrypted key and crack it later?

Excellent!

Assuming it is a 4 digit code, there are 10^4 possible link-keys.

Can it be letters as well?

This is very interesting! I was wondering how he did it with bluetooth. Is it possible to use DOS attack on bluetooth device to disconnect it, instead of waiting for the device to be disconnected by user to get this important link-key? It would make the entire process much faster. Also you said that one of the computers must have had autorun enabled for this hack to work, but didn't you forget about Bad USB? They could make the flash drives to install malware for them and the victim's system and it's configuration wouldn't even matter. Tell me if I'm wrong. Great article as always.

Badusb uses autorun, and by disconnect you mean something like aireplay deauth? i dont think so because the device is physically connected unlike in wifi

It is possible. You can use a tool called bluemaho. Unfortunately there are not many devices vulnerable to bluetooth, and when I run an exploit, I get an error of missing files

I'm starting to think OTW is a persona of Elliots split personality. The hack is explained exceptionally well.

Maybe I'm just losing my mind because I'm running out of Suboxone?

This is awesome. I have been looking for this for quite sometime... Thanks

Can anyone tell me what was the operating system he used...? is it Kali or gnome or something else entirely...?

The cop didnt notice because he was distracted by Darlene.

Just a thought about the USBs disabled autorun feature, there is software available to tweak certain flashdrive's firmware to make it read as a CD/DVD. Since autorun should still be enabled for optical disks, that could be used to maually execute malware.

Autorun is often disabled for CD/DVD as well and some new laptops don't even come with CD/DVD capability.

The keyboard emulation solution is probably the best available right now.

Do you plan on writing a how-to on this? I looked at BadUSB but the directions aren't the most clear

You still havent wrote about it? am dissapointed

how did Elliot see the guys devices that were holding him in his apartment? he did it with his phone and then hacked them would it be possible to do hacks with a jail broken iPhone ?

He probably used bluesnarf.

Hello there,

In step 4 when you mentioned the "link key" .. could you explain how to obtain this key ? and assuming we have it, how do we make the keyboard believe it's the device we are on ?

Abbas:

I'll be starting a series on "bluetooth hacking" soon, so keep coming back and you will learn all the ins and outs of bluetooth hacking.

OTW

~#hciconfig hci0 up
Can't get device info: No such device
what to do?

Do you have a bluetooth adapter on that system?

OTW:
I keep getting a "Can't init device hci0: Invalid request code (56)". How can I fix this?

Do you have a bluetooth device on the kali system?

Yes sir, I do. It recognizes I have it but won't let me enable it.

OTW:
I am a HUGE fan of all of your wonderhowto tutorials - thank you.
I have learnt so much.

My question is how you would chain computers to DDos a sever. I WILL NOT be using this for unethical purposes, as want to try to take down my own personal home server. Thanks again

Keep up the brilliant work!

--Axiomatic

my laptop has in build bluetooth and wifi adapters.. but on kali it does'nt work. so for wifi am using external wifi usb adapter. for bluetooth also i need external adapter?

is it possible to use the same wifi adapter for bluetooth?

No they use different signals.

Yes, they use different adapters and signals as Saif says. I may be that your bluetooth adapter is not Linux compatible. Most are not.

does anyone know the name of the wifi scan app he used which is similar to airodump? great tutorial btw

There are numerous wifi scanning apps. I use "wifi scanner".

he used wifite its an automated tool in kali, very useful when cracking wifi, very easy to use.

Elliot has Kali NetHunter on this cellphone, so he can use airodump too, but like the other guy here said, he used Wifite...

Wow that's a late reply...

btw did you guys noticed he has 3 phones?

yes, you are correct my bluetooth doesn't support kali..
I want to control the respective bluetooth device by hacking it.. how can

i do that, like viewing call logs, calling someone,accessing the files same as Android RAT, is it possible to do such bluetooth hack.

and in Mr.robot previous episode its show that elliot gets into vera fernando's brother's phone through bluetooth hack. and gets all the info.

how to do that??

I am starting a hacking bluetooth series next week where we explore all the ways to hack bluetooth.

Start with bluediving!!

I have a question:
How to undo the bluetooth spoofing?
How to use the real hardware address of the bluetooth module again?

Thanks in advance!

when i do hciconfig hick up, it shows me this message:
Can't init device hci0: Operation not possible due to RF-kill (132)

Share Your Thoughts

  • Hot
  • Latest