Hack Bluetooth - how it works

[Carder]

In this series of articles, I want to look in detail at Bluetooth technology, types of attacks on it, and as a conclusion - a little practice on the part of the attacker, using an interesting device called Ubertooth One.

A detailed description of this toy can be found here.

So, in order, let's look at what Bluetooth is, and how it works.

Bluetooth technology is a short-range wireless communication technology that replaces the cables connecting electronic devices, allowing a person to talk on the phone through a headset, use a wireless mouse, and sync information from a mobile phone to a PC using the same core. the system.

The Bluetooth RF transceiver (or physical layer) operates in the unlicensed ISM band with a Central frequency of 2.4 gigahertz (the same frequency range used by microwaves and Wi-Fi). The basic system uses a frequency hopping transceiver to deal with interference and fading.

Bluetooth devices use a radio frequency topology known as the "star topology" to control them. A group of devices synchronized in this way forms a piconet, which can contain one master and up to seven active slaves, with additional slaves that do not actively participate in the network. (This device can also be part of one or more piconets, either as a master or as a slave.)

In a piconet, a physical radio channel is shared by a group of devices that are synchronized to a common clock and frequency hopping pattern, with the master device providing links for synchronization.

Piconet is a fundamental form of communication in Bluetooth technology. A piconet is an Ad Hoc network. A piconet can contain up to 7 active slave devices. In addition, there may be inactive (so-called "parked") slave devices in the vicinity (confident reception zone) of the master device, which are also synchronized to a common clock and a common frequency sequence, but cannot exchange data until the master device activates them.

It is not superfluous to tell us what PAN is a Personal Area Network (PAN) is a network built "around" a person. A PAN is a computer network that is used to transfer data between devices such as computers, phones, tablets, etc.

Personal networks can be used both for information interaction of individual devices with each other (interpersonal communication)both for connecting them to higher-level networks, such as the global Internet (uplink), where one "primary" device takes on the role of an Internet router.

A wireless personal area network (WPAN) is a low-power PAN that is organized over a short distance using wireless network technologies such as:

• INSTEON
• IrDA
• Wireless USB
• Bluetooth
• Z-Wave
• ZigBee
• Body Area Network
• Piconet

We go further, from boring theory to interesting practice.

Let's say the main device is your mobile phone. All other devices in your piconet are called slaves. This can be a headset, GPS receiver, MP3 player, car stereo, etc.

Devices in the piconet use a specific frequency hopping pattern, which is algorithmically determined by the master device. The basic hopping pattern is a pseudorandom ordering of 79 frequencies in the ISM range.

The hopping pattern can be adapted to exclude some of the frequencies that are used by interfering devices. The adaptive switching technique improves the co-existence of Bluetooth technology with static (non-switching) ISM systems, such as Wi-Fi networks, when they are located in the vicinity of a piconet.

Bluetooth radio communication is carried out in the ISM band (Industry, Science and Medicine), which is used in various household appliances and wireless networks (license - free 2.4-2.4835 GHz band). For this purpose, Bluetooth uses the frequency Hopping Spread Spectrum (FHSS) method.

According to the FHSS algorithm, in Bluetooth, the carrier frequency of the signal changes abruptly 1600 times per second (a total of 79 operating frequencies with a width of 1 MHz are allocated).

A physical channel (or wireless communication) is divided into time units known as slots. Data is transmitted between Bluetooth-enabled devices in packets that are placed in these slots. Frequency hopping occurs between the transmission and reception of packets, so packets that make up a single transmission can be sent at different frequencies in the ISM range.

A physical channel is also used as a transport for one or more logical channels that support synchronous and asynchronous traffic, as well as broadcast traffic.

Each link type has a specific usage. For example, synchronous traffic is used to transmit audio data in hands-free mode, while asynchronous traffic can carry other forms of data that can withstand greater variability in delivery times, such as printing a file or syncing your calendar between your phone and computer.

One of the challenges often associated with wireless technology is the process of connecting wireless devices. Users are used to the process of connecting wired devices by inserting one end of the cable into one device and the other end into an additional device.

Bluetooth technology uses the principles of "request" and "scan requests". Scanning devices listen at known frequencies to devices that are actively being polled. When the request is received, the scanning device sends a response with the information necessary for the requesting device to determine and display the nature of the device that recognized its signal.

Let's say you want to wirelessly print an image from your mobile phone to a nearby printer. In this case, you go to the image on your phone and select print as the option to send that image. Your phone will start searching for nearby devices.

The printer (scanning device) responds to the request and, as a result, appears in the phone as an available printing device. When the printer responds, it is ready to accept the connection. When you select a Bluetooth wireless printer, the printing process begins by establishing connections at successively higher levels of the Bluetooth Protocol stack, which in this case controls the printing function.

As with any successful technology, all this complexity occurs without the user being aware of anything other than the task they are trying to perform, such as connecting devices and talking on a speakerphone, or listening to high-quality stereo music with wireless headphones.

In the next article, we will understand how secure Bluetooth technology is, and consider possible attack vectors.

 

[Lord777]

Hacking Bluetooth 2021
At the moment, bluetooth is built into almost all our gadgets: smartphones, computers, iPods, headphones, gamepads, keyboards, mice and many other devices. This article will focus on hacking mobile devices, tablets, and phones, as they are the most common target of hacking. The possibility of hacking Bluetooth can endanger almost any information on the device(photos, texts, correspondence, emails, contact lists, etc.). In addition, an attacker can gain control of the device and send unwanted data to it. But before we start hacking, first you need to understand the basic principles of this technology, its terms, and understand the security systems used in Bluetooth.

A bit of theory:
Bluetooth is a universal low-power short-range communication protocol that operates in the 2.4-2.485 GHz extended spectrum range. The carrier frequency of the signal changes abruptly at a rate of 1600 jumps per second for safety reasons. The protocol was developed in 1994 in Sweden by Ericsson and named after King Harald Bluetooth of Denmark(At that time Denmark and Sweden were one country). The minimum working distance of Bluetooth is 10 meters, but manufacturers are not limited by anything and can change the working distance in their devices, both in a smaller and in a larger direction. Some devices can communicate even at a distance of ~100 meters, and using special antennas, we can further expand the operating range.

The process of connecting two Bluetooth devices is called pairing. Almost any two Bluetooth-enabled devices can connect to each other. All visible Bluetooth devices broadcast the following information:

• Name
• Device class
• List of services
• Technical information

When paired, the devices exchange a shared communication secret key. Each of them stores this key to identify the other, during future pairings.
Each device has a unique 48-bit identifier(something like a MAC address), as well as its own name.
The pairing process is as follows: Both devices enter the communication code received from the other device, then both devices generate random numbers and exchange them, then the authorization key is generated, then the devices generate random numbers again and exchange them, the connection key is generated based on the received data, then random numbers are generated and exchanged again, and then encryption keys are generated based on all the received data and generated keys on both devices, after that, random numbers are generated and exchanged again, and then on both devices, based on all the received data, numbers and generated keys, a secret communication key is generated, thanks to which the devices will later identify each other during further pairings.
Bluetooth devices create a so-called piconet (a very small network). A single piconet can have one main device and up to seven active auxiliary devices. Since Bluetooth abruptly changes the signal frequency, as mentioned above, these devices do not interfere with each other, since the chances that two devices will simultaneously use the same frequency are extremely small, and the frequency intersection for 0.000625 seconds is not so critical.

Basic Linux tools for working with Bluetooth
The implementation of the Bluetooth puncture stack in Linux is called BlueZ. In most distributions, it is installed by default, including in Kali Linux. In extreme cases, you can always find it in your repository.

BlueZ includes several simple tools that we can use to manage and then hack Bluetooth. These include:

• hciconfig-This tool works much the same as ifconfig on linux, except that it only transmits information about Bluetooth devices
• hcitool is a tool for querying data. It can tell us the device's name, ID, class, and clock signal.
• hcidump-This tool allows us to intercept Bluetooth communications

Bluetooth Protocol Stack

The Bluetooth protocol stack looks like this:

Bluetooth devices do not need to use all the protocols in the stack. The Bluetooth stack is designed to allow various communication applications to use Bluetooth for their own purposes. In general, the program uses only one vertical slice of this stack. Bluetooth protocol layer and related protocols:

• Main Bluetooth protocols: SDP, LMP, L2CAP
• Cable Replacement Protocol: RFCOMM
• Telephony Management Protocol: AT-Commands, TCS Binary
• Borrowed protocols: OBEX, vCard, PPP, WAP, vCal, UDP / TCP/IP, WAE, iRMC

In addition to the protocol layers, the Bluetooth specification also defines the Host Controller Interface (HCI). It provides a command interface for communication with the baseband controller, a communication channel manager, and access to hardware status data and control registers, hence the name of the tools listed above: hcitool, hciconfig, and hcidump

Bluetooth Security
The Bluetooth security system is based on several techniques. First, a frequency jump whose algorithm is known to both devices, but not to third parties. Secondly. secret key that is exchanged during pairing. It is used for authentication and encryption (128-bit). There are three Bluetooth security modes:

• Security mode #1: Active protection is disabled
• Security mode #2: Service-level protection. Authorization, authentication, and configuration are handled by a centralized security manager. It cannot be activated by the user, and there is no device-level protection.
• Security mode #3: Device-level protection. Authentication and encryption based on a private key. Always on. Forcibly activates protection for low-level connections

Tools for hacking Bluetooth in Kali

Kali has several built-in tools for hacking Bluetooth. In addition, we will need to download and install other tools. To view the list of installed tools for working with Bluetooth, open: Applications-> Kali Linux - > > Wireless Attacks - > > > Bluetooth Tools

Here you will find several tools for performing attacks on Bluetooth. Let's take a quick look at them.

• Bluelog is a tool for detecting bluetooth devices. It scans the surrounding area for visible devices and writes them to a file.
• Bluemaho - A set of tools with a graphical interface for testing the security of Bluetooth devices
• Btscanner-This GUI-based tool scans visible devices within the visible range
• Spooftooph-Bluetooth Spoofing Tool
• Blueranger is a simple Python script that uses i2cap signals to detect Bluetooth devices and approximate their distance
• Redfang-A tool for finding hidden Bluetooth devices

Some attacks on Bluetooth

• Blueprint - The process of footprinting (getting a network map)
• Bluebugging - The attacker gains full control over the target's phone. The Blover application was developed to automatically execute this attack
• Bluemask-DoS attack against Bluetooth devices, allows you to disconnect devices from the same network
• Bluesnarfing-This attack steals data from Bluetooth-enabled devices, such as text messages, images, chats, SMS, address book, and calendar information
• Bluejacking-The attacker sends the victim a "business card" - a text message, and if the user adds it to the contact list, the attacker will be able to send additional messages

ATTENTION! I HIGHLY RECOMMEND READING THE THEORY BEFORE READING FURTHER, FOR A COMPLETE UNDERSTANDING!

Practice:

Hacking with a MultiBlue electronic key
This electronic dongle is able to connect to any Bluetooth device and allows us to use your computer's keyboard to control it. This dongle was designed to allow users to control their mobile devices using a keyboard and mouse(Yes, that's right, and I know that you can connect a keyboard and mouse to your phone using an otg cable and a usb hub, if the phone is android). But, it can be used in other ways as well... You can buy this key in many stores, it costs ~$14. For hacking with this key, we need physical access to the device, but as our knowledge increases(and as we read the article), we will gradually move to managing Bluetooth devices without physical access. And although the working distance is limited to 10-100 meters, this is more than enough to cover most homes, schools, offices, coffee shops, libraries and other buildings, and the coverage can always be increased using an antenna. Now let's look at connecting to and managing an android device.
And so, hid ( human interface display) is a protocol for devices that interact directly with people, such as keyboards, monitors, microphones, etc. With MultiBlue, we will use the HID protocol to send keyboard and mouse signals via Bluetooth to the system that is our goal.

And so, let's move on to hacking
MultiBlue supports Windows and Mac OS X. If you have Linux, you can use it via Wine. I will use 7 windows, as they are more to my liking.
This electronic key does not require a driver, and everything you need is already in the key itself. In fact, the dongle is a 4GB usb flash drive with built-in bluetooth, and you just need to connect it to the USB of your PC.
After connecting to the PC, it will appear in the system as a flash drive. When you open it, you will see a choice - Win and Mac, choose depending on your system, for Linux via Wine, choose Win accordingly. After that, the MultiBlue app will launch

Now we need to switch our target mobile device to visibility mode. In my case, the mobile device will be visible for 2 minutes, this is enough to connect with interest

After that, "MultiBlue Dongle" will appear in the list of available devices, start pairing on our target, when we start pairing, the target will give us a code that you need to enter in our MultiBlue program. As you might have guessed, this is the PIN code required to start pairing. In the future, we will look at various methods(for example, interception, brute-force) for obtaining a key without physical access to the target.
It was also possible to notice that the key calls itself "MultiBlue Dongle", which looks suspicious.In the future, we will look at how to fake this name, replacing it with something less suspicious, so that the user thinks that he is connecting, for example, to his own devices.

And so, after we entered the key from the phone into our program, MultiBlue will show that we are connected to the device

Now, we can control the device using the keyboard and mouse, that is, we have gained control over the device, and we can do almost anything we want with it. For example, you can install malware and / or spyware, and you can also open the terminal in the background so that we can use it when the device is nearby. Now we need to find a way to control the device without physical access, and without MultiBlue.

Exploration
And so, in order to hack a device without physical access, and without knowing almost anything about it, it is necessary to conduct intelligence. We will use BlueZ for exploration.
BlueZ is a standard Bluetooth protocol stack that is present in almost all versions of Linux, including Kali. Until recently, BlueZ was also the standard Bluetooth protocol stack for Android and Mac OS X.
This protocol implementation has many built-in tools that we can use for our intelligence.
And so, let's get started.
To begin with, we will transfer from Windows to a Linux machine, I will use Kali Linux. We will need a Linux-compatible Bluetooth adapter.
Now we need to check whether our adapter is recognized and enable it by entering the "hciconfig" command.
Now, we can control the device using the keyboard and mouse, that is, we have gained control over the device, and we can do almost anything we want with it. For example, you can install malware and / or spyware, and you can also open the terminal in the background so that we can use it when the device is nearby. Now we need to find a way to control the device without physical access, and without MultiBlue.

Exploration
And so, in order to hack a device without physical access, and without knowing almost anything about it, it is necessary to conduct intelligence. We will use BlueZ for exploration.
BlueZ is a standard Bluetooth protocol stack that is present in almost all versions of Linux, including Kali. Until recently, BlueZ was also the standard Bluetooth protocol stack for Android and Mac OS X.
This protocol implementation has many built-in tools that we can use for our intelligence.
And so, let's get started.
To begin with, we will transfer from Windows to a Linux machine, I will use Kali Linux. We will need a Linux-compatible Bluetooth adapter.
Now we need to check whether our adapter is recognized and enable it by entering the "hciconfig" command.

As you can see in the screenshot, we have a Bluetooth adapter with the MAC address 10: AE:60: 58:F1:37. BlueZ gave it the name "hci0". Now enable it by entering the command "hciconfig hci0 up". Our adapter is now ready for use.
BlueZ includes many great tools for finding Bluetooth devices. They are part of hcitool. First, let's use the scan function and find Bluetooth devices in Broadcast mode (discovery mode). To do this, enter the command " hcitool scan"

In the screenshot, you can see that we found two devices: SCH-I535 and ANDROID BT, now we know their names and MAC addresses. Now we will get more information by entering the command "hcitool inq"

This data also includes the clock offset(time zone) and the device class. The list of codes can be found here - https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery
In the future, some tools will do this for us.
HciTool is a powerful BlueZ stack command-line tool with extensive functionality. In the screenshot below, you can see a list of some of its commands that can be very useful

Once we know the device's Mac address using HciTool, we can use the Service Discovery Protocol(SDP) to find services for our target. BlueZ has the sdptool tool for this, to use it, enter the command " sdptool browse MAC_ADDRESS"

In the screenshot, we can see that the tool managed to get information about all the services that the device can use.
And so, after we spent time figuring out how to scan, our device could leave the confines of the workstation, as well as disable detection mode. To check this, use the "l2ping MAC ADDRESS" command."

In the screenshot, we can see that our target is in detection mode and is located within range.
Kali also has a tool with a graphical interface, such as BTScanner, to use it, type the command "btscanner" in the terminal, and then you will open the program interface. To connect to the device, you need to press the "i" key on the keyboard.
In the screenshot, we can see that our target is in detection mode and is located within range.

As you can see, BTScanner found another device - "MINIJAMBOX by Jawb". This device has been in range all this time, it's just that it's a speaker that was already connected to the device, and so it didn't show up on previous scanners, but BTScanner was able to detect it.
To get more information about the device, hover the mouse over it and press "Enter" on the keyboard. The utility will show all known information about the device

You can pay attention to the fact that this tool showed the class of this device as "Phone/Smartphone" by decoding the code 0x5a020c.

Bluetooth sniffing with BlueMaho
Kali has another tool with a graphical interface that you can use to scan Bluetooth. It's called BlueMaho, and it's a built - in tool for scanning and hacking Bluetooth. For now, we'll only use it for scanning. To start the tool, enter the command "bluemaho.py" A window will appear on your computer screen as shown in the screenshot

Click on the "get SDP information" button, and then the top-left button.
BlueMaho scanned and found two Bluetooth devices, and also displayed information about them in the lower window

You may notice that the tool shows the first device name "MINIJAMBOX" and then describes it as " Audio/Video, headset profile". The second device is called "SCH-I535", and, as we already know, belongs to the "Phone" type./Smartphone"

Hacking the Bluetooth Keyboard
Rather, we'll pretend to use a Bluetooth keyboard to access the PC.
For this hack, we will need to start the Bluetooth service using the "service bluetooth start" command.
Then, using, for example, btscanner, we scan the devices.
We get this picture.

Now, to perform the hack, we will need to replace the MAC and Device Name with the data of our keyboard. To do this, use the spooftooph utility.
Now let's replace our data with a command like this " spooftooph-i hci0 -a A0:02C:11:4F:85-n Car537", use the "i" argument to specify the interface name of our bluetooth adapter, use the "a" argument to specify the MAC address of the device, and use "n" to specify the desired Bluetooth device name.

After this command, our PC will broadcast the same Name and MAC address as our keyboard. Now, to connect as a keyboard, we need the Connection Key(Linking Key) that was received by the target PC and the keyboard during the first connection. You can pick it up(for a very long time), or hack it. Also, there is such an option that you can arrange a DoS attack on the keyboard, and at the time of its shutdown, submit a request to connect to the target PC from our PC. And if you have time, then you will connect to the PC, and, accordingly, you can control it, imitate the Mouse, keyboard and Microphone requests, and of course listen to the sound from there, imitate the headset. And of course, we can transfer the file via Bluetooth. The only negative thing is that the owner of the keyboard will not understand why it does not work, and may decide to replace its batteries(which we don't care about), and then reconnect/re-insert the keyboard/bluetooth adapter dongle(which will cause us to disconnect, and we will have to wait for him to connect the keyboard to the PC again, and then do a DoS attack and connect again, but if the owner is not currently using the keyboard and/or PC, then we can do whatever we want!

Similarly, we can, for example, connect to a phone instead of a headset, and so on.
By the way, the problem with the fact that the owner's device "stops working" can be solved using another Bluetooth adapter, sending a request to connect to a PC from one of them, confirming using our "keyboard emulation", then we stop emulating the keyboard using the first adapter, and disconnect it, after which our keyboard/headset will reconnect with the device, and continue its normal operation, but we will have access to the target PC/Smartphone-goals.

Also, if the goal is not quite so old, it is better to change the device class of our PC using the command "hciconfig ADAPTER class CLASS_CODE". Instead of "ADAPTER", you specify the name of your adapter, and instead of" CLASS_CODE", we insert the code from the table above.
By the way, for people who are concerned and are not looking for easy ways, you can perform a DoS attack using l2ping (ping), only I send heavier packets using the command " l2ping-i INTERFACE-s 600-f MAC ADDRESS"(In the "-i " argument, we specify the name of the bluetooth adapter, in the "-s" argument, we set the packet size, and in the "-f " argument, we specify the MAC Address that we will flood with packets)(With a size of 600, instead of 44 bits, we send 48 bytes, which allows us to" screw up " the device.

By the way, you can also listen to audio from a Bluetooth headset using the CarWhisper utility.
Also, if your goal is not a new smartphone, but something older, in the form of, for example, a push-button phone with Bluetooth support, then you can use the bluesnarfer tool, which is 99% likely to work there(it does not work on all new devices). For example, to get a list of the address book(phone book), you need to enter the command "bluesnarfer-r 1-100-b MACADRES" to get the names of contacts from the first to the hundredth(and in the order in which the contacts are recorded)(In the "-r "argument, you can specify a different range of contacts), and then enter the command "bluesnarfer-s RC-r 1-100-b MACADRES", and get all the phone book numbers in the order in which they are written(You can also specify a different range of contacts in the "-r " argument), and then match phone numbers and names. You can also delete any or all of the address book number(s) using the "bluesnarfer-w 1-100-b MAC ADDRESS"command(Instead of 1-100, you can specify a different range of contacts to delete).