Today, Bluetooth is built into nearly all our devices. These include our computer systems, smartphones, iPods, tablets, audio speakers, game controllers, and many more devices. In this series, we are concentrated on hacking mobile devices, tablets, and phones as they are the most fertile ground for cyber criminals. The ability to hack Bluetooth can lead to the compromise of any information on the device (pictures, emails, text, and so on. ), control of the device, and the capability to send unwanted info to the device.
Bluetooth is a universal protocol for low power, near field communication operating at 2. 4 – 2. 485 Gigahertz using spread spectrum, frequency hopping at 1, 600 hops per second (this frequency hopping is a security measure). It was developed in 1994 by Ericsson Corp. of Sweden and given its name the 10th century Danish (Sweden and Denmark were a single country in the 10th century) King Harald Bluetooth.
The minimum standards for the Bluetooth range are 10 meters, but there are limits to the range that manufacturers may implement in their devices. Many devices have ranged as long as 100 meters. With special antennas, we can extend the range even further.
Whenever two Bluetooth devices hook up, this is known as pairing. Nearly any two Bluetooth devices can hook up to one another. Any discoverable Wireless Bluetooth device transmits the following information:
- List of Services
- Technical Information
If the two devices pair, they exchange a pre-shared secret or link key. Each store this link step to identify the other in the later pairing.
Every device has a unique 48-bit identifier (an MAC-like address) and usually a manufacturer assigned name.
Wireless Bluetooth devices create what is known as a piconet or very small net. In a piconet, there is only 1 master and rise 7 active slaves. Because Bluetooth uses frequency hopping (frequencies change 1, 600 times per second), these devices’ communication does not interfere with the other people as the chances of two devices using the same frequency is very small.
Basic Linux Bluetooth Tools
The Linux implementation of the Bluetooth protocol collection is BlueZ. Most Linux distributions contain it installed by default, but if not, you can usually find it in your database. In our Kali Linux, as you would expect, it is installed automatically.
BlueZ has a number of simple tools we may use to manage and eventually hack Bluetooth. These types of include:
hciconfig: This tool operates very similarly to ifconfig in Linux, apart from that it operates on the Bluetooth devices. First to bring up the Bluetooth interface (hci0) and second, query the device for its specs.
hcitool: This is a query tool. It provides all of us with the device name, device ID, device class, and device clock.
hcidump: This kind of tool permits us to sniff the Bluetooth communication.
Bluetooth Protocol Stack
The Bluetooth protocol collection looks like this.
Wireless devices don’t need to use all the protocols in the stack (such the TCP/IP stack). The Bluetooth stack is developed to permit the use of Bluetooth by a variety of communication applications. Generally, an application will simply use one vertical slice of this stack. The Wireless protocols layer and their associated protocols are shown below.
- Bluetooth Core Protocols Baseband: LMP, L2CAP, SDP
- Cable proxy Protocol: RFCOMM
- Telephony Control Protocol: TCS Binary, AT-commands
- Acquired Protocols: PPP, UDP/TCP/IP, OBEX, WAP, vCard, vCal, IrMC, WAE etc.
In addition to the protocol layers, the Bluetooth specification also describes a host controller interface (HCI). It specifies a command interface for the baseband commander, link manager, and access to hardware status and controls data. Hence the name of the tools such as hciconfig, hcidump, and hcitool etc.
Bluetooth security is based on a few techniques. First, frequency jumping. Both the master and slave know the regularity hopping algorithm, but the outsider does not. Second, a pre-shared key changed at pairing that can be used for authentication and security (128-bit).
There are three security modes for Bluetooth. These types of are:
- Security Mode 1: No active security.
- Security Mode 2: Service-level security. Centralized security supervisor handles authentication, configuration, and authorization. May not be activated by a user. Zero device-level security.
- Security Mode 3: Device-level security. Authentication and security depending on the secret key. Usually on. Enforces security for low-level connection.
We have different Bluetooth hacking tools built into Kali Linux by which people will be using through this course, as well as others where we will need to download and install. We could find the installed Bluetooth tools by using to Applications -> Kali Linux -> Wireless Problems -> Bluetooth Equipment.
There, we will see several tools for attacking Wireless. Let’s take the brief look at each of them.
- Bluelog: A Bluetooth site survey tool. It works the area to find as many discoverable devices in the area and then logs them to a file.
- Bluemaho: A GUI-based company of tools for testing for the security of Bluetooth devices.
- Blueranger: A simple Python Softwares that uses i2cap pings to get Bluetooth devices and determine their approximate ranges.
- Btscanner: This GUI-based tool scans for uncovered devices within range.
- Redfang: This kind of tool permits us to find hidden Bluetooth device.
- Spooftooph: This can be a Wireless spoofing tool.
Some Bluetooth Attacks
- Blueprinting: The process of footprinting.
- Bluesnarfing: This attack captures the data from the Bluetooth-enabled device. This may include the text messages, calendar information, images, the phone book, and chats.
- Bluebugging: The opponent is able to take control of the target’s phone. Bloover was created as a POC tool for this purpose.
- Bluejacking: The attacker sends a “business card” (text message) that, if the user allows being added to their contact list, permits the attacker to continue to deliver additional emails.
- Bluesmack: A DoS strike against Bluetooth devices.