The Hacks of Mr. Robot: How to Hack Bluetooth
Welcome back, my novice hackers!
Episode 6 of Mr. Robot has come and gone and, as usual, it did not disappoint. Once again, our hero, Elliot, has used his extraordinary intellect and hacking skills to awe and inspire us.
In this episode, Elliot is being blackmailed by the ruthless and unrelenting drug dealer, Vera, to hack him out of jail. He is holding Elliot's new love interest, Shayla, hostage and has given Elliot until midnight to hack the jail's computer system in order to release him.
Elliot tries to explain to Vera that such a hack can't be done in a matter of hours, but rather days or weeks to find a security vulnerability that he can exploit. Vera, being the vicious and feeble-minded killer that he is, will not relent to give Elliot more time. As a result, Elliot has to attempt some less-than-optimal techniques to try to hack Vera out of jail to save the lovely Shayla (as you remember, Shayla is also his morphine supplier).
In his first attempt to hack the jail, Elliot has Darlene, his friend and nemesis from f/society, "accidentally" drop infected flash drives outside the jail. The strategy here is that if someone inside the jail's network picks one up and inserts it into their computer system, which will then inject malware and give Elliot a connection on the outside.
As expected, a dimwitted corrections officer does pick one up and inserts it into his computer. Elliot is able to get a SSH connection to it, but before he is able to do anything, the AV software detects it and disconnects Elliot. Elliot then chides Darlene as a "script-kiddie" for using a well-known malware from Rapid9 (a reference to Metasploit's developer, Rapid7) rather than develop a new exploit, and Darlene defends herself saying "I only had one hour." (She could have possibly re-encoded it with Veil-Evasion and it might have gone past the AV software undetected.)
Some have questioned whether this approach could work. Before the disabling of the automatic autorun feature on modern operating systems, you could have an EXE file on the flash drive that would automatically execute. On a modern OS, autorun is disabled by default.
We might assume that this machine had the autorun feature enabled or, more likely, Darlene had installed the malware on a flash drive that has been reprogrammed to emulate a USB keyboard. When the flash drive is installed on the system, the operating system then recognizes the flash drive as a USB keyboard, giving it access with the rights of the logged in user and then injects its malicious code into the operating system. So, this approach may have worked had Darlene re-encoded the malware with Veil-Evasion.
While Elliot is visiting Vera in jail, he brings his phone with him, on which he has installed a Wi-Fi scanner app. With that scanner, he can see all the Wireless APs and sees that they are all secured with WPA2. Although he knows he can crack WPA2, he recognizes that the short time frame he is working with is inadequate to brute-force WPA2.
In the process of scanning wireless hotspots and encryption technologies with his phone, Elliot sees a Bluetooth connection when a corrections officer's car drive ups near him.
That spurs Elliot into a new strategy, namely, hack the Bluetooth and enter the prison's computer system via the cop car's dedicated cellular connection to the prison!
Elliot's strategy here is to spoof the cop car's Bluetooth connection to his keyboard. If he can make the laptop believe that his keyboard is actually the cop's keyboard, he can control the cop's laptop and get inside the prison's network. Once inside the network, he can upload malware to take control of the prison's digitally-controlled systems.
Before Elliot can do anything, he needs to enable Bluetooth on his Linux hacking system by starting the bluetooth service:
kali > service bluetooth start
Next, he needs to activate the Bluetooth device:
kali > hciconfig hci0 up
Then he checks to see if it is actually working, as well as its properties, by typing:
kali > hciconfig hci0
Please note the "BD Address" in second line—this is the MAC address of the Bluetooth device.
The first thing Elliot does in this hack is to scan for Bluetooth connections. If you look closely at Elliot's screen, you can see that he is using hcitool, a built-in Bluetooth configuration tool in Kali Linux. Although this works, I have had better success with btscanner, a built-in Bluetooth scanner with a rudimentary GUI. To use it, simple type:
kali > btscanner
Then select "i" to initiate an inquiry scan. You can see the results below.
Using btscanner, we can get a list of all the Bluetooth devices in range. This one here has a MAC address and a name of "Tyler"—to spoof this device, we must spoof the MAC address and name of the device.
This is how Elliot gets the MAC address and name of the Bluetooth device in the cop's car. Remember that Bluetooth is a low-power protocol with a range of just about 10 meters (although with a directional antenna, distances as much as 100 meters have been achieved).
Now that Elliot has the name and MAC address of the cop's keyboard, he will need to spoof it by cloning the cop's keyboard with this info. Kali Linux has a tool designed to spoof Bluetooth devices called spooftooph. We can use it to spoof the keyboard with a command similar to this:
kali > spooftooph -i hci0 -a A0:02:DC:11:4F:85 -n Car537
- -i designates the device, in this case hci0
- -a designates the MAC address we want to spoof
- -n designates the name of the device we want to spoof, in this case "Car537"
If we do it right, our Bluetooth device will spoof the MAC address and name of the cop's computer-Bluetooth device.
To check to see whether we were successful, we can use hciconfig followed by the device and the switch "name" that will list the name of the device. Remember, this is our Bluetooth device that we are trying emulate with the cop car's Bluetooth device. If we are successful, it will have the same MAC address and name of the cop's Bluetooth device.
kali > hciconfig hci0 name
Now, we have a Bluetooth device that is a perfect clone of the cop car's Bluetooth keyboard!
Now, here is where reality and the Mr. Robotstoryline diverge. Mr. Robot's hacking is very realistic, but even in this show, the director takes some literary license. That's allowed—creative works should be not limited by reality.
For Eliot to now connect to the cop car's laptop, he would need the link-key (this is a key to identify the previously-paired Bluetooth device) that was exchanged between the keyboard and the Bluetooth adapter on the laptop.
He could guess it (unlikely) or crack it, but it won't be as fast as it appeared in the show. Another possibility is that when the system rebooted or the keyboard was disconnected, Elliot could connect to the laptop as it is a clone of the cop's keyboard. In either case, it would take more time than Elliot had in this episode to hack the cop's Bluetooth keyboard.
In the final step, Elliot uses the cop's hacked computer to upload malware via FTP that will give him control of the prison cell doors. Few people realize that prisons and other industrial systems, often referred to as SCADA, are very hackable.
The Stuxnet hack of Iran's uranium enrichment facility was very similar to this. These industrial system have PLCs that are basically digital controllers. Presumably, this prison had PLCs controlling the prison cell doors (a very reasonable assumption) and Elliot's malware infected them and gave him control, enabling him to open all the cells, releasing Vera and all the other prisoners.