Bluetooth Hacking
BlueSmacking
A Bluetooth denial-of-service attack.
Bluediving (LINUX)
A Bluetooth penetration suite used to implement BlueBug, BlueSnarf, and BlueSmack attacks as well as Bluetooth address spoofing.
Btlejuice (LINUX)
A complete framework to perform man-in-the-middle attacks on Bluetooth smart devices.
BluetoothView (WINDOWS)
A small utility that lists discoverable Bluetooth devices with information such as the device name, Bluetooth address, major device type, and minor device type.
Bluetooth MAC spoofing
An attack characterized by changing the device address of a Bluetooth device to match the address of a target device.
Bluejacking
An attack characterized by sending unwanted data to Bluetooth devices.
Bluebugging
An attack that exploits a Bluetooth device to install a backdoor that bypasses normal authentication, giving full access to the device.
Bluesnarfing
An attack that uses the OBEX protocol to gain access to a Bluetooth device.
Bluetooth Hacking Tools
~BluetoothView ~BTScanner ~Btlejuice ~Bluediving ~Super Bluetooth Hack
Bluetooth Threats To User Privacy
~Calendars and address books have been leaked through the Bluetooth protocol. ~Generally available software has activated Bluetooth cameras and microphones, making it easy to create bugging and eavesdropping devices. ~Compromised smart phones are used to visit internet sites and make phone calls to numbers that charge fees. ~Victims have been fooled into disabling Bluetooth security, allowing attackers to pair with a device and steal its information. ~Smartphone worms have been created that replicate and spread by exploiting Bluetooth connections.
To help configure and manage Bluetooth on these distributions, use the following commands:
~hciconfig ~hcitool ~sdptool ~l2ping
Bluesniffing
The use of the Bluesniff wardriving utility to discover Bluetooth devices.
Linux Bluetooth Configuration and Discovery Tools
Many distributions of Linux include a Bluetooth stack called BlueZ. BlueZ includes basic tools that discover and set up Bluetooth devices. Using it, you can collect helpful information about the devices and people around you.
BluePrinting
The act of gathering details about a Bluetooth device that indicates its manufacturer and model.
BTScanner (LINUX)
A Bluetooth sniffing tool that provides the same functions as BluetoothView.
Super Bluetooth Hack (ANDROID)
An Android phone application that can be used to view the files on another Bluetooth-connected Android phone.
Bluetooth Attack Countermeasures
~Ensure each Bluetooth device is operating in a higher security mode. ~~The Bluetooth specification details four security modes. ~~Mode 1 is unsecure, but has been phased out in later versions. ~~Each successive security mode is more secure. ~~Mode 4 requires encryption and the use of Diffie-Hellman techniques for key exchange and key generation. ~~Later versions of Bluetooth require mode 4. ~Use non-regular patterns when pairing. Setting PIN keys using regular patterns, such as sequential numbers, makes them easier to guess. ~Disable Bluetooth on a device immediately after the intended task is completed. ~While Bluetooth is enabled, use hidden mode. Hidden mode prevents other devices from finding your device. ~Use a Bluetooth firewall on Android devices. ~Lower the power setting on Bluetooth devices. This decreases Bluetooth range, but reduces the possibility of an outsider attack.
l2ping
~L2ping sends an L2CAP echo request to the Bluetooth MAC address given in dotted hex notation. L2ping can be run only by the root user and can check to see if the Bluetooth device is up. ~Pressing Ctrl + c stops the ping process. ~Example~ ~l2ping 64:A2:F9:3B:FD:92 sample output: 44 bytes from 64:A2:F9:3B:FD:92 id 0 time 16.37ms 44 bytes from 64:A2:F9:3B:FD:92 id 1 time 10.59ms 44 bytes from 64:A2:F9:3B:FD:92 id 2 time 19.46ms 44 bytes from 64:A2:F9:3B:FD:92 id 3 time 24.45ms 4 Sent, 4 received, 0% loss
hciconfig
~This tool can view and manage Linux Bluetooth devices. When run without any options, hciconfig displays the name and basic information of all the Bluetooth devices installed in the system. hcix (where x is a number) is the name of a Bluetooth device installed in the system. HCI is an acronym for Host Controller Interface. ~Common commands for this tool are: ~~hciX up, which opens and initializes the Bluetooth device. ~~hciX down, which closes the Bluetooth device. ~Example~ ~~hciconfig displays the name and basic information about all the Bluetooth devices installed in the system. In the sample output, you can see that the name of this device is hci0 and that the device is currently down. To use this device, it must be up or initialized. ~~Sample output: hci0 Type: Primary BUS: UARTBD Address: 23:82:FD:2B:6B:BF ACL MTU: 1021:5 SCO MTU: 96.5DOWN ~~hciconfig hci0 up opens and initializes the hci0 Bluetooth device.
hcitool
~This tool configures Bluetooth connections and sends special commands to the Bluetooth devices. If no command is given, or if the option -h is used, hcitool prints some usage information and exits. ~Common commands for gathering information about Bluetooth devices using this tool are: ~~scan inquires (searches) for remote devices. For each discovered device, the device MAC address and name are displayed. ~~inq searches for remote devices. For each discovered device, the clock offset and class are shown. ~Example~ ~~hcitool scan sample output: 64:A2:F9:3B:FD:92 Mac Laptop ~~hcitool inq output: 64:A2:F9:3B:FD:92 clock offset: 0x614e class: 0x5a020c
sdptool
~This tool provides the interface for performing Service Discovery Protocol (SDP) queries on Bluetooth devices. sdptool checks which services are made available by a specific device and can work when the device is not discoverable, but is still nearby. ~A common command is browse mac_address. This browses all available services on the device as specified by the Bluetooth MAC address parameter. ~Example~ ~sdptool browse 64:A2:F9:3B:FD:92
