How to Target Bluetooth Devices with Bettercap

May 17, 2019 11:52 PM
636872647558094913.jpg

An incredible amount of devices use Bluetooth or Bluetooth Low Energy to communicate. These devices rarely have their radios switched off, and in some cases, are deliberately used as trackers for lost items. While Bluetooth devices support MAC address randomization, many manufacturers do not use it, allowing us to use tools like Bettercap to scan for and track Bluetooth devices.

What Kind of Devices Use Bluetooth

Nowadays, you might expect devices like laptops and smartphones use Bluetooth radios. Increasingly, Bluetooth is finding its way into nearly everything, from smart tracking devices to find lost things to smart police holsters that phone home when a weapon is drawn.

One thing these devices have in common is that they can be discovered with Bettercap. The difference between how useful that information is usually relies on the device manufacturer, as Bluetooth is a more secure protocol than Wi-Fi if implemented correctly. Fortunately, for hackers, many manufacturers don't choose to take advantage of device security like MAC address randomization, causing these Bluetooth devices to broadcast the same MAC address everywhere they go.

That makes them easy to track. It also makes it easy to determine what kind of device is behind the Bluetooth radio. While we can see nearby Bluetooth devices that do randomize their MAC address, they will likely appear as many devices are periodically transmitting around us at roughly the same signal strength.

Bettercap for Bluetooth

Bettercap is the successor to Ettercap and features attack modules for many different types of radio and network technologies. Today, we'll be focusing on the Bluetooth module, but there is a lot more to Bettercap than just Bluetooth hacking. Bettercap can also hunt down and attack Wi-Fi networks, and by default, will begin enumerating devices on whatever network you are on when you start it. This ability translates well to identifying and scanning Bluetooth devices.

The tool comes with a Bluetooth Low Energy suite that allows us to do much more than look at nearby Bluetooth devices. We can scan for the MAC address of any device in range, and then use that MAC address to connect to the device and get back information about it. Finally, we can write data to the device to try to exploit it, like a tag to track the device over time even if it changes its MAC address.

What We Can Learn

Information is the first element of any attack. To start, we'll need to learn the manufacturer of the device so we can gain knowledge like the default pairing PIN. Once we identify the specific model behind the Bluetooth radio, we can start looking up specific information that could be used to hijack the device over Bluetooth.

When scanning a Bluetooth device, we can learn information we should have no reason to know. We can determine the version of the operating system the target device is running, the name of the device, the manufacturer, and even details like the current battery level. If we learn a device is running old software, it becomes much easier to research vulnerabilities to exploit. The first step is discovering the device and scanning it to learn more about it.

What You'll Need

To follow this guide, I recommend starting with a full Kali Linux installation. Bettercap can be easily installed on several platforms, but Bluetooth won't work on macOS.

Step 1: Install Bettercap

If you have a fully updated and upgraded version of Kali installed, you can run apt install bettercap to install Bettercap and the required dependencies. If you're on another Linux system, you can install Bettercap by running the following commands in a fresh terminal window.

apt install golang
go get github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build
sudo make install

Step 2: Start Bettercap

To start Bettercap, you can simply run sudo bettercap in a terminal window.

sudo bettercap
bettercap v2.17 (type 'help' for a list of commands)

192.168.0.0/24 > 192.168.0.37  » [02:19:21] [endpoint.new] endpoint 192.168.0.10 detected as 3c:dc:bc:05:77:d4 (Samsung Electronics Co.,Ltd).
192.168.0.0/24 > 192.168.0.37  » [02:19:22] [endpoint.new] endpoint 192.168.0.3 detected as 50:33:8b:68:2d:73 (Texas Instruments).

As you can see, the network module starts by default and has already begun to detect devices on the same network passively. Pretty cool! If we want to see the most updated list of devices we've identified, we can see it by typing net.show and pressing Enter.

192.168.0.0/24 > 192.168.0.37  » net.show
+--------------+-------------------+---------+-------------------------------+--------+-------+----------+
|     IP ▴     |        MAC        |  Name   |            Vendor             |  Sent  | Recvd |   Seen   |
+--------------+-------------------+---------+-------------------------------+--------+-------+----------+
| 192.168.0.37 | 30:52:cb:6b:76:5f | wlan0   | Liteon Technology Corporation | 0 B    | 0 B   | 02:19:17 |
| 192.168.0.1  | 40:70:09:7a:64:97 | gateway | ARRIS Group, Inc.             | 590 B  | 0 B   | 02:19:18 |
|              |                   |         |                               |        |       |          |
| 192.168.0.3  | 50:33:8b:68:2d:73 |         | Texas Instruments             | 1.8 kB | 0 B   | 02:20:42 |
| 192.168.0.10 | 3c:dc:bc:05:77:d4 |         | Samsung Electronics Co.,Ltd   | 515 B  | 0 B   | 02:20:41 |
| 192.168.0.65 | 00:26:bb:1c:a0:87 |         | Apple, Inc.                   | 1.1 kB | 0 B   | 02:20:40 |
+--------------+-------------------+---------+-------------------------------+--------+-------+----------+

↑ 0 B / ↓ 131 kB / 1078 pkts

To stop this module, we can run net.recon off to stop discovery.

Step 3: Run the Bluetooth Sniffing Module

Now, let's start the Bluetooth discovery! To start, type ble.recon on and press Enter.

192.168.0.0/24 > 192.168.0.37  » ble.recon on
[02:23:55] [sys.log] [inf] ble.recon initializing device ...
[02:23:55] [sys.log] [inf] ble.recon state changed to PoweredOn
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [sys.log] [inf] ble.recon starting discovery ...
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [ble.device.new] new BLE device detected as 69:B0:77:33:32:B7 (Apple, Inc.) -77 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [ble.device.new] new BLE device detected as 11:8D:A3:DD:6F:23 (Apple, Inc.) -62 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [ble.device.new] new BLE device detected as 00:74:BB:1E:51:22 (Microsoft) -68 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [ble.device.new] new BLE device detected as 35:DE:BF:24:DE:02 (Microsoft) -57 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [ble.device.new] new BLE device detected as 26:22:8E:AC:BC:47 (Microsoft) -89 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [ble.device.new] new BLE device detected as 40:16:3B:ED:EF:21 (Samsung Electronics Co.,Ltd) -92 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:55] [ble.device.new] new BLE device detected as 56:73:E6:EA:CE:C5 (Apple, Inc.) -51 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:56] [ble.device.new] new BLE device Tile detected as C9:58:1F:16:7A:43 -79 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:56] [ble.device.new] new BLE device detected as 5B:FA:11:B5:B1:3B (Apple, Inc.) -64 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:56] [ble.device.new] new BLE device detected as 66:8D:90:81:2B:C5 (Apple, Inc.) -83 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:57] [ble.device.new] new BLE device detected as F8:04:2E:B0:57:73 (Samsung Electro-Mechanics(Thailand)) -87 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:23:59] [ble.device.new] new BLE device detected as 39:71:FA:71:9F:53 (Apple, Inc.) -94 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:24:01] [ble.device.new] new BLE device detected as 6A:95:78:A8:8D:FC (Microsoft) -94 dBm.
192.168.0.0/24 > 192.168.0.37  » [02:24:04] [ble.device.new] new BLE device detected as 1A:53:E5:84:E2:10 (Microsoft) -95 dBm.
192.168.0.0/24 > 192.168.0.37  »

This discovery will continue for as long as you like. Devices that haven't been seen for a few scans will drop off the list automatically.

Step 4: Identify Hosts to Probe

After a few seconds, we've gathered a pretty big list. In a coffee shop at 2 a.m., I was able to identify many devices. To see the devices you've discovered, type ble.show and press Return.

192.168.0.0/24 > 192.168.0.37  » ble.show
+---------+-------------------+------+-------------------------------------+--------------------------------------------------------------------+---------+----------+
| RSSI ▴  |        MAC        | Name |               Vendor                |                               Flags                                | Connect |   Seen   |
+---------+-------------------+------+-------------------------------------+--------------------------------------------------------------------+---------+----------+
| -51 dBm | 56:73:e6:ea:ce:c5 |      | Apple, Inc.                         | LE + BR/EDR (controller), LE + BR/EDR (host)                       | ✔       | 02:24:50 |
| -59 dBm | 35:de:bf:24:de:02 |      | Microsoft                           |                                                                    | ✖       | 02:24:50 |
| -64 dBm | 5b:fa:11:b5:b1:3b |      | Apple, Inc.                         | LE + BR/EDR (controller), LE + BR/EDR (host)                       | ✔       | 02:24:49 |
| -68 dBm | 69:b0:77:33:32:b7 |      | Apple, Inc.                         | LE + BR/EDR (controller), LE + BR/EDR (host)                       | ✔       | 02:24:50 |
| -71 dBm | 00:74:bb:1e:51:22 |      | Microsoft                           |                                                                    | ✖       | 02:24:50 |
| -75 dBm | 11:8d:a3:dd:6f:23 |      | Apple, Inc.                         | Limited Discoverable, LE + BR/EDR (controller), LE + BR/EDR (host) | ✖       | 02:24:50 |
| -77 dBm | c9:58:1f:16:7a:43 | Tile |                                     | BR/EDR Not Supported                                               | ✔       | 02:24:50 |
| -86 dBm | 4f:da:70:25:35:09 |      | Google                              |                                                                    | ✖       | 02:24:48 |
| -86 dBm | 66:8d:90:81:2b:c5 |      | Apple, Inc.                         | LE + BR/EDR (controller), LE + BR/EDR (host)                       | ✔       | 02:24:46 |
| -88 dBm | f8:04:2e:b0:57:73 |      | Samsung Electro-Mechanics(Thailand) |                                                                    | ✖       | 02:24:48 |
| -90 dBm | 40:16:3b:ed:ef:21 |      | Samsung Electronics Co.,Ltd         |                                                                    | ✖       | 02:24:47 |
| -91 dBm | 1a:53:e5:84:e2:10 |      | Microsoft                           |                                                                    | ✖       | 02:24:45 |
| -91 dBm | 26:22:8e:ac:bc:47 |      | Microsoft                           |                                                                    | ✖       | 02:24:49 |
| -91 dBm | 61:b7:ab:e4:84:e7 |      | Apple, Inc.                         | LE + BR/EDR (controller), LE + BR/EDR (host)                       | ✔       | 02:24:36 |
| -91 dBm | 6a:95:78:a8:8d:fc |      | Microsoft                           |                                                                    | ✖       | 02:24:48 |
| -91 dBm | 7a:e8:23:e7:b5:59 |      | Apple, Inc.                         | LE + BR/EDR (controller), LE + BR/EDR (host)                       | ✔       | 02:24:23 |
| -91 dBm | 7d:e3:6c:c7:12:7c |      | Apple, Inc.                         | LE + BR/EDR (controller), LE + BR/EDR (host)                       | ✔       | 02:24:44 |
| -95 dBm | 39:71:fa:71:9f:53 |      | Apple, Inc.                         | Limited Discoverable, LE + BR/EDR (controller), LE + BR/EDR (host) | ✖       | 02:24:41 |
+---------+-------------------+------+-------------------------------------+--------------------------------------------------------------------+---------+----------+
192.168.0.0/24 > 192.168.0.37  » [02:24:55] [ble.device.lost] BLE device 7A:E8:23:E7:B5:59 (Apple, Inc.) lost.
192.168.0.0/24 > 192.168.0.37  » [02:25

Step 5: Scan & Interact with Devices

After we identify a device of interest, we can use Bettercap to interrogate it further. The key here is knowing the MAC address of the target.

Based on the scan above, the device with the strongest signal is an Apple device with the MAC address of 56:73:e6:ea:ce:c5. We can direct a scan of this device by typing the command ble.enum 56:73:e6:ea:ce:c5 to enumerate details about the device.

192.168.0.0/24 > 192.168.0.37  » ble.enum 56:73:e6:ea:ce:c5
[02:27:30] [sys.log] [inf] ble.recon connecting to 56:73:e6:ea:ce:c5 ...
192.168.0.0/24 > 192.168.0.37  » [02:27:30] [sys.log] [inf] ble.recon connected, enumerating all the things for 56:73:E6:EA:CE:C5!
192.168.0.0/24 > 192.168.0.37  »
+--------------+-------------------------------------------------------------+------------------+---------------+
|   Handles    |                  Service > Characteristics                  |    Properties    |     Data      |
+--------------+-------------------------------------------------------------+------------------+---------------+
| 0001 -> 0005 | Generic Access (1800)                                       |                  |               |
| 0002         |     Device Name (2a00)                                      | read             | iPhone        |
| 0004         |     Appearance (2a01)                                       | read             | Generic Phone |
| 0006 -> 0009 | Generic Attribute (1801)                                    |                  |               |
| 0007         |     Service Changed (2a05)                                  | indicate         |               |
| 000a -> 000e | Apple Continuity Service (d0611e78bbb44591a5f8487910ae4366) |                  |               |
| 000b         |     8667556c9a374c9184ed54ee27d90049                        | write, notify, x |               |
| 000f -> 0013 | 9fa480e0496745429390d343dc5d04ae                            |                  |               |
| 0010         |     af0badb15b9943cd917aa77bc549e3cc                        | write, notify, x |               |
+--------------+-------------------------------------------------------------+------------------+---------------+
192.168.0.0/24 > 192.168.0.37  » [02:27:30] [sys.log] [inf] ble.recon disconnecting from 56:73:E6:EA:CE:C5 ...
192.168.0.0/24 > 192.168.0.37  » [02:27:30] [sys.log] [inf] ble.recon device disconnected, restoring discovery.
192.168.0.0/24 > 192.168.0.37  » [02:27:30] [ble.device.lost] BLE device 73:13:D4:64:AF:7D (Apple, Inc.) lost.

As you can see, there are a few services that allow us to write data!

Let's try writing data to a characteristic. After another scan, we discover a device with the MAC address 7e:dc:48:7c:77:ea and a writable field labeled "69d1d8f345e149a898219bbdfdaad9d9." We can write the value of "ffffffffffffffff" to that device by typing the command ble.write TheMacAddress TheFieldToWriteTo ValueToWrite, as seen in the example below.

192.168.0.0/24 > 192.168.0.37  » ble.write 7e:dc:48:7c:77:ea 69d1d8f345e149a898219bbdfdaad9d9 ffffffffffffffff
[02:38:22] [sys.log] [inf] ble.recon connecting to 7e:dc:48:7c:77:ea ...
192.168.0.0/24 > 192.168.0.37  » [02:38:22] [sys.log] [inf] ble.recon connected, enumerating all the things for 7E:DC:48:7C:77:EA!
192.168.0.0/24 > 192.168.0.37  » [02:38:23] [sys.log] [inf] ble.recon writing 8 bytes to characteristics 69d1d8f345e149a898219bbdfdaad9d9 ...
192.168.0.0/24 > 192.168.0.37  » [02:38:23] [sys.log] [err] ble.recon error while writing: insufficient authentication
192.168.0.0/24 > 192.168.0.37  »
+--------------+----------------------------------------------------------------------+------------------+-----------------------------+
|   Handles    |                      Service > Characteristics                       |    Properties    |            Data             |
+--------------+----------------------------------------------------------------------+------------------+-----------------------------+
| 0001 -> 0005 | Generic Access (1800)                                                |                  |                             |
| 0002         |     Device Name (2a00)                                               | read             | iPhone                      |
| 0004         |     Appearance (2a01)                                                | read             | Generic Phone               |
| 0006 -> 0009 | Generic Attribute (1801)                                             |                  |                             |
| 0007         |     Service Changed (2a05)                                           | indicate         |                             |
| 000a -> 000e | Apple Continuity Service (d0611e78bbb44591a5f8487910ae4366)          |                  |                             |
| 000b         |     8667556c9a374c9184ed54ee27d90049                                 | write, notify, x |                             |
| 000f -> 0013 | 9fa480e0496745429390d343dc5d04ae                                     |                  |                             |
| 0010         |     af0badb15b9943cd917aa77bc549e3cc                                 | write, notify, x |                             |
| 0014 -> 0017 | Battery Service (180f)                                               |                  |                             |
| 0015         |     Battery Level (2a19)                                             | read, notify     | insufficient authentication |
| 0018 -> 001d | Current Time Service (1805)                                          |                  |                             |
| 0019         |     Current Time (2a2b)                                              | read, notify     | insufficient authentication |
| 001c         |     Local Time Information (2a0f)                                    | read             | insufficient authentication |
| 001e -> 0022 | Device Information (180a)                                            |                  |                             |
| 001f         |     Manufacturer Name String (2a29)                                  | read             | Apple Inc.                  |
| 0021         |     Model Number String (2a24)                                       | read             | iPhone9,1                   |
| 0023 -> 002c | Apple Notification Center Service (7905f431b5ce4e99a40f4b1e122d00d0) |                  |                             |
| 0024         |     69d1d8f345e149a898219bbdfdaad9d9                                 | write, x         |                             |
| 0027         |     9fbf120d630142d98c5825e699a21dbd                                 | notify           |                             |
| 002a         |     22eac6e924d64bb5be44b36ace7c7bfb                                 | notify           |                             |
| 002d -> 0038 | Apple Media Service (89d3502b0f36433a8ef4c502ad55f8dc)               |                  |                             |
| 002e         |     9b3c81d857b14a8ab8df0e56f7ca51c2                                 | write, notify, x |                             |
| 0032         |     2f7cabce808d411f9a0cbb92ba96c102                                 | write, notify, x |                             |
| 0036         |     c6b2f38c23ab46d8a6aba3a870bbd5d7                                 | read, write, x   | insufficient authentication |
+--------------+----------------------------------------------------------------------+------------------+-----------------------------+
192.168.0.0/24 > 192.168.0.37  » [02:38:23] [sys.log] [inf] ble.recon disconnecting from 7E:DC:48:7C:77:EA ...

While we weren't able to write to this Bluetooth device, many devices will. If we learn a device is running a service with a vulnerability we can exploit by writing to a value, we can use Bettercap to begin poking around for ways to further exploit nearby devices. We can also use these fields to fingerprint devices using MAC address randomization, as the values will uniquely identify a device that's changing other properties like its MAC address to try to avoid correlation.

Bluetooth Devices Are Everywhere

In our sample scan, we discovered lots of Bluetooth devices nearby, even in a relatively empty coffee shop late at night. One of these devices was a Tile-branded tracker that never changes its MAC address, but others were smart devices that rotate the MAC address they transmit over time. We can defeat this with Bettercap by reading the values of characteristics like the battery life to compare them and determine whether a Bluetooth device we're seeing is the same as one we've seen recently.

With the ability to write data, we can even "tag" a device with a value so that we can identify it uniquely later. The ability to discover and unmask Bluetooth radio transmissions is useful for tracking the people and devices behind them. By knowing the type of hardware and version of software a device we're detecting is using, we have the best possible chance of being able to successfully attack it.

I hope you enjoyed this guide to scanning and tracking Bluetooth devices with Bettercap! If you have any questions about this tutorial on Bluetooth sniffing or you have a comment, there's the comments section below, and feel free to follow me on Twitter @KodyKinzie.

Cover photo and screenshots by Kody/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!