|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 30.09.2017

Hacking bluetooth connections


Hacking bluetooth is much less common as hacking wireless lan connections. Reason may be that on one hand wireless networks are more widespread.

bluetooth attacks

On the other hand special hardware is needed for identifying and eavesdropping bluetooth connections. The ubertooth from greatscottgadgets represents an affordable platform serving this purpose. The ubertooth supports classic bluetooth as well as bluetooth LE up to a transfer rate of 1Mbit.

fake bluetooth identity


One way to interfere with bluetooth connections is to setup a fake identity for your pentesting machine. This way a known device like a headset or keyboard could be feigned to lure a victim to establish a connection with your pc.

configure bluetooth identity

hostnamectl set-hostname my_headset
hciconfig hci0 name my_headset
bdaddr -i hci0 11:22:33:44:55:66
hciconfig hci0 class 0x240404

To find the needed value for the class the online class id generator can be very helpfull.

For the connection to be established successfully you may have to enable sspmode and set the target device to be trusted in bluetoothctl.

An alternative way to change the bluetooth device name would be to create the following file.

/etc/machine-info

PRETTY_HOSTNAME=my_device_name

put machine in pairable mode

bluetoothctl
agent on
discoverable on
pairable on

In the following you will be prompted for a PIN (if you choose 0000 the connecting device might not be prompted). Afterwards you will have to grant permission to the service UUIDs you want to share.

building ubertooth on arch linux


The building instructions for other distributions can be found in the ubertooth wiki on github.

If you are trying to build on arch linux some commands have to be modified. Below you can find the needed commands to allow access to the ubertooth device for a dedicated linux user group and how to build the firmware.

The prerequisites on arch linux are

pacman -S wget cmake python-numpy python-pyside python-qtpy

create ubertooth group

cmake -DUDEV_RULES_GROUP=ubertooth ..
groupadd ubertooth
usermod -aG ubertooth user
cat 40-ubertooth.rules.in | sed s/@.*@/ubertooth/ > /lib/udev/rules.d/40-ubertooth.rules
udevadm control --reload

libbluetooth.so.0 'No such file' error

echo /usr/local/lib/ > /etc/ld.so.conf.d/ubertooth.conf
ldconfig

building firmware

pacman -S arm-none-eabi-gcc arm-none-eabi-newlib
cd firmware/bluetooth_rxtx/
make
ubertooth-dfu -d bluetooth_rxtx.dfu -r

sniffing with ubertooth


The project is under constant development and I recommend installing the needed software from the git repositories.

sniffing for lower address part

ubertooth-rx

determine upper address part

ubertooth-rx -l <target lap>

record frames to file

ubertooth-rx -l <target lap> -u <target uap> -r out.pcapng

request device info via service discovery protocol

The missing 2 bytes of the bluetooth address are not needed to connect to a device. Therefore we can replace them with 00:00.

hcitool name <00:00:uap:lap>
hcitool info <00:00:uap:lap>
sdptool browse <00:00:uap:lap>

spectrum analyzer

The ubertooth is supported by the git version of the spectrum analyzer spectools.

further info


Though the site http://bluetooth-pentest.narod.ru/ is quite old it can still deliver a lot of usefull informations concerning bluetooth hacking.