Add to collection(s) Add to saved
  1. No category
Uploaded by demotest702

INTRODUCTION TO BLUETOOTH HACKING (An0n Ali)

advertisement 
INTRODUCTION TO BLUETOOTH
HACKING
-
-
BY AN0N ALI
Table of Contents
-
Broadly Applicable Attacks ……………………………………………………………………… 3
1. Bluetooth DDoS Attack …………………………………………………………………… 3 - 5
2. Bluetooth Impersonation Attack …………………………………………..…… 6 – 8
3. HID Spoofing Attack ……………………………………………………………………..… 9 – 11
4. Bluetooth Interception Attack ………………………………………….……… 12 - 14
Vulnerability Attacks ………………………………………………………………………………….. 15
1. BlueSnarfing ……………………………………………………………………………………… 15 - 16
2. BlueBugging ……………………………………………………………………………………………… 17
3. BlueBorne ………………….……………………………………………………………………… 18 – 19
-
Additional Information …………………..…………………………………………………………. 20
1. BlueJacking ………..………………………………………………………………………………..…… 20
2. Car Whisperer …………………………………………………………………………….…………… 20
3. BLE Tools ………………….………………………………………………………………………………. 20
SDR Gadgets Used for Bluetooth Hacking ………………………………………. 21
Subscribe to me on YouTube!
BROADLY APPLICABLE
ATTACKS
-
1. Bluetooth DDoS Attack
This attack leverages the basic feature of Bluetooth that allows
devices to send connection requests to each other. By flooding a
device with excessive requests, the attack aims to exhaust the
device's resources, theoretically applicable due to the inherent
capability of Bluetooth devices to receive and process such
requests.
Attack Execution Steps
1. Discovery: The attacker uses a device with Bluetooth scanning
capabilities to identify potential target. This is often done using tools
that can scan for Bluetooth devices and gather information such as
device names, MAC addresses, and the types of services they offer.
2. Target Selection: Once potential targets are identified, the attacker
selects a device or devices to attack based on criteria like type of
device, perceived vulnerability, or the value of disrupting that
particular device.
-
3. Pairing Requests Flood (1st Option): The attacker may attempt to flood
the target device with pairing requests. While the device is busy
handling these requests, it may be unable to process legitimate
requests or connections.
-
4. Service Discovery Protocol Abuse (2nd Option): Bluetooth devices use
the SDP to identify the services available on other devices. An
attacker could repeatedly query a device's SDP to consume the
device's resources, leading to a slowdown or crash.
5. L2CAP Flood (3rd Option): The Logical Link Control and Adaptation
Protocol (L2CAP) is used for data transmission between devices
over Bluetooth. An attacker might send a large number of L2CAP
packets to the target device, overwhelming its ability to process
legitimate packets.
-
-
Advanced Techniques:
-
 Use of Multiple Devices: To amplify the attack, an attacker can use
multiple devices to send requests or data to the target
simultaneously, increasing the attack's intensity.
 Exploiting Vulnerabilities: If the attacker finds vulnerabilities in the
Bluetooth stack of the target device, they can exploit these to cause
more effective disruptions. For example, vulnerabilities that allow
for remote code execution or crashing the Bluetooth service can be
leveraged.
- Automation: Attackers can automate the scanning, targeting, and
attack phases using scripts or specialized software, making it easier
to launch attacks against multiple devices or sustain the attack over
a longer period.
Limitations of a DDoS Attack
 Rate Limiting and Connection Management: Modern devices
implement rate limiting and sophisticated connection management
strategies. These can detect and block repeated, suspicious
connection attempts, effectively preventing a DDoS attack.
 Non-Discoverability by Default: Some devices are not discoverable
by default or automatically switch off discoverability after a short
period, reducing the window of opportunity for attackers to initiate
unsolicited connection requests.
2. Bluetooth Impersonation Attack (BIAS)
This leverages the trust mechanism established during the pairing
process.
Technical Foundation
-
 Bluetooth Pairing and Authentication: Bluetooth devices pair using a
shared secret known as a Link Key or Long Term Key (LTK),
established during an initial setup process known as pairing. After
pairing, devices authenticate each other using this shared secret to
establish encrypted connections.
0
 Role Switching: Bluetooth allows devices to switch roles, with one
acting as the master (typically the initiator of a connection) and the
other as the slave (the device that responds to the connection). The
security of the connection depends partly on these roles.
0
 Secure Connections (SC) and Legacy Pairing: Bluetooth devices
support two main types of pairing: Secure Connections (introduced
in Bluetooth 4.2, using Elliptic Curve Diffie-Hellman for key
exchange) and Legacy Pairing (using a PIN or passphrase). BIAS
exploits vulnerabilities in how devices handle these pairing methods.
-
-
Attack Execution Steps
-
 Target Identification: The attacker identifies two devices that have
been previously paired, gathering information such as their
Bluetooth addresses (BDR_ADDR) and device names.
-
 Exploiting Role Switching: The attacker initiates a connection to one
of the target devices, impersonating the other device in the paired
relationship. The attacker manipulates the connection to request a
role switch, positioning themselves as the master device.
 Legacy Pairing Vulnerability (1st Option): If the devices use Legacy
Pairing, the attacker can exploit weaknesses in the PIN or
passphrase-based authentication, using methods like brute force
attacks to guess the shared key.
-
 Bypassing Secure Connections (2nd Option): For devices using
Secure Connections, the attacker can exploit vulnerabilities in the
protocol that allow them to downgrade the connection to Legacy
Pairing or exploit flaws in the key exchange process, effectively
bypassing the stronger encryption.
 Impersonation: Once the attacker has successfully exploited these
vulnerabilities, they can impersonate one of the devices, allowing
them to intercept and decrypt communications, inject malicious data,
or gain unauthorized access to device features.
Limitations Of A BIAS Attack
 Secure Simple Pairing (SSP) and LE Secure Connections: Newer
versions of Bluetooth use SSP and LE Secure Connections, for
public key encryption, making it significantly harder to spoof a device
successfully. These methods offer better security against
impersonation by ensuring that the pairing process is protected
against eavesdropping and man-in-the-middle attacks.
3. HID Spoofing Attack
This attack takes advantage of Bluetooth's ability to connect peripheral
devices like keyboards and mice to enhance user interface experiences.
This type of attack can be particularly effective because once paired, the
attacker can input commands directly to the target device.
Attack Execution Steps
 Select Attack Device: The attacker needs a device capable of
broadcasting Bluetooth signals and impersonating an HID device.
This could be a smartphone with specific software, or a specialized
device designed for penetration testing. (MultiBlue Dongle)
0
 Scan and Select Target Devices: The attacker scans for nearby
Bluetooth-enabled devices that are set to be discoverable or are
broadcasting their presence. From the list of discoverable devices,
the attacker chooses a target device to spoof.
0
 Initiate Pairing Request: The attacker's device, configured as an HID,
sends a pairing request to the target device. This step often requires
the target device to be in discoverable mode.
--
 Target Identification: The attacker identifies two devices that have
been previously paired, gathering information such as their
Bluetooth addresses (BDR_ADDR) and device names.
-
 Bypass User Confirmation: Depending on the target device's security
settings, the attacker may need to bypass or exploit user
confirmation mechanisms. This can involve social engineering,
exploiting vulnerabilities in the Bluetooth stack, or taking advantage
of settings that automatically accept certain types of connections.
 Input Commands: Once paired, the attacker can input commands into
the target device as if they were typing on a keyboard directly
connected to it. This can include opening web browsers,
downloading malware, executing scripts, or any number of malicious
activities.
-
 Maintain Stealth: To remain undetected, attackers often execute
commands that leave minimal traces or mimic user behavior to
avoid raising suspicions.
-
Limitations Of An HID Spoofing Attack
 Authentication and Authorization Procedures: Some devices now
require explicit user permission to connect new peripherals,
especially those with extensive control capabilities like keyboards.
Users are often prompted to confirm the connection or enter a PIN,
adding a layer of authentication that HID spoofing attacks must
circumvent.
 Enhanced Security Protocols for Peripheral Devices: Security
protocols for Bluetooth connections, including those involving HID
devices, have been strengthened. Encryption and secure pairing
mechanisms reduce the risk of unauthorized devices mimicking
legitimate peripherals.
4. Bluetooth Interception Attack
This attack leverages the basic feature of data transmission over
Bluetooth. By positioning oneself in the communication path between two
devices, an attacker exploits the fundamental feature of Bluetooth that
allows for the wireless exchange of information.
Attack Execution Steps
 Scan Target Devices: //
0
 Choose Target Devices: After identifying potential targets, the
attacker selects a pair of devices to target.
0
 Force Disconnection: The attacker may attempt to disrupt the
existing connection between the two target devices. This can be
done through a variety of methods, such as jamming signals or
exploiting vulnerabilities in the Bluetooth protocol to cause
disconnections.
--
 Position as the Middleman: The attacker then positions their device
to act as a relay between the two original devices. This involves
making each device believe that it is communicating directly with its
intended partner, while in reality, all communication is routed
through the attacker's device.
-
 Impersonation (BIAS): To successfully intercept the communication,
the attacker's device must pair with both target devices. This can
involve spoofing the Bluetooth address (MAC address) of each
device to appear as the legitimate communication partner.
-
 Exploiting Pairing Vulnerabilities: The attacker might exploit
vulnerabilities in the pairing process, such as using known or default
PINs, to facilitate unauthorized pairing.
-
 Eavesdrop on Communication: With the connection established
through the attacker's device, they can listen to the data being
transmitted between the two targets. This could include sensitive
information such as login credentials, messages, or any other
transmitted data.
-
 Advanced Technique: Beyond mere eavesdropping, the attacker can
alter the data being exchanged or inject malicious data into the
communication stream. This could lead to further exploitation, such
as sending malware or false commands.
Limitations Of A Bluetooth Interception Attack
 Encryption: Bluetooth communication, especially under protocols
like SSP and LE Secure Connections, is encrypted. This makes
intercepting and deciphering the communication between devices
without the encryption keys extremely challenging.
 Secure Pairing Mechanisms: As mentioned, secure pairing
mechanisms like ECDH in SSP and LE Secure Connections prevent
attackers from easily inserting themselves into the communication
channel between devices without being detected.
 Attack Devices: Tools like Ubertooth One are effective on BLE only,
to sniff communication b/w devices using classical Bluetooth, you’ll
need a device like the Ellisys Bluetooth Explorer (£ 20,000)
ATTACKS TARGETING A
SPECIFIC VULNERABILITY
1. BlueSnarfing Attack
A BlueSnarfing attack specifically targets vulnerabilities in the Bluetooth
protocol to illicitly access and steal information from a victim's Bluetoothenabled device without their consent. This type of attack exploits
weaknesses in the Object Exchange (OBEX) profile of Bluetooth, which is
often used for managing and exchanging data like contacts, emails, and
other personal information between devices.
-
Attack Execution Steps
 Identify Suitable Tools: The attacker selects software tools designed
for BlueSnarfing. These tools can scan for vulnerable Bluetooth
devices and exploit OBEX profile vulnerabilities.
 Enable Discovery Mode: The attacker activates Bluetooth on their
device and starts scanning for nearby Bluetooth-enabled devices.
This step identifies potential targets within the attacker's range.
-
 Detect Vulnerable Devices: Using the scanning tool, the attacker
looks for devices with open OBEX profiles or known vulnerabilities
that can be exploited. Devices not properly configured or running
outdated software are particularly susceptible.
-
 Exploit OBEX Vulnerability: Once a vulnerable device is identified, the
attacker uses their tool to establish an unauthorized OBEX session
with the target device. This is often done without the knowledge or
consent of the device's owner.
 Enable Discovery Mode: Bypass Authentication: The attack may
involve bypassing any authentication mechanisms protecting the
OBEX profile. Some devices might not require authentication for
OBEX access, making them easy targets.
-
 Access Files and Information: With the unauthorized OBEX session
established, the attacker can access, download, or manipulate files
and information stored on the target device. This might include
contacts, call logs, messages, and possibly other sensitive data.
-
 Data Extraction: The attacker extracts the desired information from
the target device. The amount and type of data accessible can vary
depending on the device's configuration and the vulnerabilities being
exploited.
2. BlueBugging Attack
Bluebugging is a form of Bluetooth hacking that goes beyond the simple
unauthorized access of information (like in BlueSnarfing) and allows the
attacker to take control of a device. This type of attack was more prevalent
in earlier versions of Bluetooth but can still pose a threat to devices that
are not properly secured.
-
Attack Execution Steps
 Assess Vulnerability: The attacker looks for devices that are
vulnerable to Bluebugging—often older or unpatched devices. The
vulnerability may be known through previous exploits or indicated by
the Bluetooth version the device is using.
 Exploit Pairing Mechanism: The attacker attempts to pair with the
target device. This might involve exploiting weak or default PINs
used in the pairing process, or vulnerabilities in the Bluetooth stack
that allow unauthorized pairing.
-
 Detect Vulnerable Devices: Using the scanning tool, the attacker
looks for devices with open OBEX profiles or known vulnerabilities
that can be exploited. Devices not properly configured or running
outdated software are particularly susceptible.
-
 Use of Specialized Software: The attacker uses specialized
Bluebugging software that, once paired, exploits vulnerabilities to
gain unauthorized access to the device's command set.
 Send AT Commands: After establishing a connection, the attacker
can use AT (Attention) commands to control the target device. AT
commands can instruct the device to initiate calls, send text
messages, or even enable call forwarding.
-
3. BlueBorne Attack
The BlueBorne attack vector exploits vulnerabilities in the Bluetooth
protocol to allow attackers to take control of devices, access their data, or
spread malware, all without requiring any action from the victim—neither
pairing nor device discoverability is necessary. BlueBorne affects a wide
range of Bluetooth-enabled devices, including smartphones, laptops,
smart TVs, and even IoT devices.
-
Attack Execution Steps
 Research and Tool Selection: Attackers begin by obtaining the tools
and malware designed to exploit the BlueBorne vulnerabilities. This
might involve custom-developed software or modified versions of
publicly available exploitation frameworks.
 Identify Bluetooth Capabilities: The attacker must have a device
capable of running the attack software and exploiting Bluetooth
vulnerabilities, usually a computer with a powerful Bluetooth
adapter.
-
 Discover Active Bluetooth Connections: Using specialized scanning
tools, the attacker scans for devices with Bluetooth enabled in the
vicinity. Unlike traditional Bluetooth attacks, BlueBorne does not
require the target devices to be in discoverable mode.
-
 Determine Device Information: The scanning tool gathers
information about the discovered devices, such as their Bluetooth
versions and active services, to identify potential vulnerabilities.
 Identify Vulnerable Targets: Based on the gathered information, the
attacker identifies devices susceptible to the BlueBorne
vulnerabilities. Different versions of Bluetooth and device operating
systems may have distinct vulnerabilities.
 Select Attack Vector: The attacker chooses the appropriate exploit
from their toolkit that matches the vulnerabilities found in the target
devices. BlueBorne encompasses several vulnerabilities, each
affecting different systems and Bluetooth stacks.
 Craft and Send Malicious Payloads: The attacker crafts a malicious
payload designed to exploit the identified vulnerability. This payload
is then transmitted via Bluetooth to the target device.
-
 Exploit Execution: If the exploit is successful, it executes on the
target device, allowing the attacker to gain unauthorized access.
Depending on the specific vulnerability exploited, the attacker could
achieve a range of outcomes, from executing arbitrary code to taking
complete control over the device.
-
 Perform Malicious Activities: With access to the device, the attacker
can steal data, spread malware, create a botnet, or perform other
malicious activities, all without the user's knowledge.
 Spread to Additional Devices (advanced): In some scenarios, the
attacker can use the compromised device to launch BlueBorne
attacks against other nearby Bluetooth-enabled devices, creating a
potential chain reaction.
Additional Information
-
1.
Bluejacking: This is a relatively harmless attack where an
attacker sends unsolicited messages to discoverable
Bluetooth devices within range. It's more of a prank or an
annoyance than a serious security threat, but it exploits
Bluetooth's proximity-based communication. (THIS ATTACK IS
HISTORICAL AND NOT DONE NOWADAYS)
2.
Car Whisperer: This specific attack targets the Bluetooth
systems within cars. Attackers can exploit vulnerabilities to
eavesdrop on conversations happening inside the car and even
communicate with the passengers through the car's speakers.
3.
BtleJuice and BtleJack for BLE attacks: These tools are
designed for Bluetooth Low Energy (BLE) attacks, capable of
performing MitM attacks, sniffing, and hijacking connections.
While they are tools for security testing, their existence also
highlights the potential for misuse against vulnerable BLE
implementations.
-
--
-
4.
Although newer Bluetooth standards have enhanced security
features, not all devices are updated or support the latest
versions. This discrepancy creates vulnerabilities that hackers
can exploit.
-
5.
The Bluetooth protocol is complex, and implementing it
securely across devices can be challenging. This complexity
can lead to vulnerabilities that are difficult to patch.
SDR Gadgets used for
Bluetooth Hacking
Some SDR Gadgets that are largely used to hack Bluetooth are: Ubertooth
One, HackRF One, RTL SDR, Multiblue.
These SDR tools can be used to:



Capture and analyze Bluetooth packets.
Study Bluetooth protocol implementation and vulnerabilities.
Test the security of Bluetooth devices by attempting to bypass
security measures like encryption and authentication.
---
Watch the Video if you haven’t already!
-
Related documents
Bluetooth
Bluetooth
Hot Leads Campaign Brief
Hot Leads Campaign Brief
RememberAll Team 3 Boris, Jason, Kartik, Mike
RememberAll Team 3 Boris, Jason, Kartik, Mike
Seamless Bluetooth Connectivity to IPv6 Networks
Seamless Bluetooth Connectivity to IPv6 Networks
Download
advertisement