Graduate Operating Systems
Mini-Project:
Hacking Bluetooth In Linux
Alan Joseph J Caceres
Overview
• Hacking Bluetooth in Linux
• Modifying Linux Bluetooth stack to pass a
sequence of bytes to a device in order to
establish a connection.
Introduction to Bluetooth
• What is Bluetooth?
– Form of wireless communication
– Short-range
– Connect multiple devices
– Low data rate compared to Wi-Fi
3
Introduction to Bluetooth
• Form of wireless communication
– Similar to Wi-Fi (IEEE 802.11)
– Uses short-wavelength transmissions within 2.4GHz
range in the public radio spectrum
– A form of ad-hoc networking
– It follows the IEEE 802.15 standard for Wireless
Personal Area Networks (WPAN)
Introduction to Bluetooth
• Short-range
– Because of the short-wavelength used for
transmission; distance is limited
– Low power device minimizes transmission distance
as well
– Advantageous for creating Wireless Personal Area
Networks
Introduction to Bluetooth
• Connect multiple devices
– Excellent for ad-hoc networking
– Devices can create Piconets
– Master / Slave devices can switch roles as needed.
– Devices can range from headsets to keyboards and
mice to gaming consoles like Nintendo's Wii
gaming console.
Bluetooth on Linux


Linux distributions using the Linux kernel
2.4.6 and later implement the Open Source
bluetooth stack BlueZ.
BlueZ provides different modules for the
Linux platform to interface with various
bluetooth enabled devices and services.
Bluetooth on Linux
For this mini-project we will be looking at the
latest version of the BlueZ bluetooth stack;
BlueZ 4.101.
How can we use a sequence of bytes to establish
a connection between two bluetooth devices?
Checking out the source
In the BlueZ bluetooth stack there are many
modules that are provided to assist in the
“pairing” of various bluetooth devices.
Where do they store the passkey for these
devices? It has to be in one of the modules.
A little info...
Bluetooth devices have a “master/slave”
relationship.
When two bluetooth devices establish a
connection between each other they
communicate via their Media Access Control
(MAC) address.
Master meet slave
After a connection between bluetooth devices
have be established, the “master” device need
only request the “slave” by its MAC address to
initiate a connection if it becomes severed.
This feature is what I will be exploiting.
Hacking it
In the BlueZ bluetooth stack there is a file called
hidd.c that performs the connection
authentication and encryption.
There are specific functions within this class that
use the struct bdaddr_t which is an unsigned
int array.
Hacking it.
The unsigned int array within bdaddr_t has a
size of 6. This is basically to hold the MAC
address information in integer form.
A MAC address is basically six hexadecimal
numbers. A call to the function str2ba()
converts this into the bytes for the bdaddr_t
struct.
Use the MAC
Knowing the MAC address of both bluetooth
devices is all that is needed to perform a
“pairing”.
By hard coding the MAC address of both
bluetooth devices into the bdaddr_t src and
dst variables this would allow the devices to
stay permanently paired.
Use the MAC
An example would be seen in the
request_authentication() method that has two
bluetooth device addresses as parameters for
source and destination address.
Removing these parameters or setting their
default values to the devices' MAC addresses
should immediately pair them when they are
in range.
Tricky tricky
Some devices may have MAC addresses that do
not play well with the bluetooth stack. This
may be because they contain 00 as the
beginning or ending part of the address.
They may also use a modified way of connecting
to a host machine such as using the host
machine's address reversed as the passkey.
Hard-coding may be a way to circumvent this