Last changed: 30.09.2017
Hacking bluetooth connections
Hacking bluetooth is much less common as hacking wireless lan connections. Reason may be that on one hand wireless networks are more widespread.
On the other hand special hardware is needed for identifying and eavesdropping bluetooth connections. The ubertooth from greatscottgadgets represents an affordable platform serving this purpose. The ubertooth supports classic bluetooth as well as bluetooth LE up to a transfer rate of 1Mbit.
fake bluetooth identity
One way to interfere with bluetooth connections is to setup a fake identity for your pentesting machine. This way a known device like a headset or keyboard could be feigned to lure a victim to establish a connection with your pc.
configure bluetooth identity
hostnamectl set-hostname my_headset hciconfig hci0 name my_headset bdaddr -i hci0 11:22:33:44:55:66 hciconfig hci0 class 0x240404
To find the needed value for the class the online class id generator can be very helpfull.
For the connection to be established successfully you may have to enable sspmode
and set the target device to be trusted in
An alternative way to change the bluetooth device name would be to create the following file.
put machine in pairable mode
bluetoothctl agent on discoverable on pairable on
In the following you will be prompted for a PIN (if you choose 0000 the connecting device might not be prompted). Afterwards you will have to grant permission to the service UUIDs you want to share.
building ubertooth on arch linux
The building instructions for other distributions can be found in the ubertooth wiki on github.
If you are trying to build on arch linux some commands have to be modified. Below you can find the needed commands to allow access to the ubertooth device for a dedicated linux user group and how to build the firmware.
The prerequisites on arch linux are
pacman -S wget cmake python-numpy python-pyside python-qtpy
create ubertooth group
cmake -DUDEV_RULES_GROUP=ubertooth .. groupadd ubertooth usermod -aG ubertooth user cat 40-ubertooth.rules.in | sed s/@.*@/ubertooth/ > /lib/udev/rules.d/40-ubertooth.rules udevadm control --reload
libbluetooth.so.0 'No such file' error
echo /usr/local/lib/ > /etc/ld.so.conf.d/ubertooth.conf ldconfig
pacman -S arm-none-eabi-gcc arm-none-eabi-newlib cd firmware/bluetooth_rxtx/ make ubertooth-dfu -d bluetooth_rxtx.dfu -r
sniffing with ubertooth
The project is under constant development and I recommend installing the needed software from the git repositories.
sniffing for lower address part
determine upper address part
ubertooth-rx -l <target lap>
record frames to file
ubertooth-rx -l <target lap> -u <target uap> -r out.pcapng
request device info via service discovery protocol
The missing 2 bytes of the bluetooth address are not needed to connect to a
device. Therefore we can replace them with
hcitool name <00:00:uap:lap> hcitool info <00:00:uap:lap> sdptool browse <00:00:uap:lap>
The ubertooth is supported by the git version of the spectrum analyzer spectools.
Though the site http://bluetooth-pentest.narod.ru/ is quite old it can still deliver a lot of usefull informations concerning bluetooth hacking.