RSS Feed twitter airdump.cz Follow RemoteSec on the Facebook
Remote Security Random Tips
News & Ads

Bluetooth Security & Vulnerabilities

BlueTooth logo BlueTooth Hacking. The text will be continuously completed with pictures and links for download. BlueTooth is a great technology that is implemented in several mobile device. For communication with other device no cable is necessary and there is a lot of applications dedicated directly for Bluetooth. As well as in the case with WiFi there is not necessary a cable for connecting two devicees. Expansion of Symbian based mobile phones will probably bring into this sector many new possibilities. This technology has a lot of advantages but has as well a great potential to deprive the mobile phone owner of his datas. Most of the mobile phones today needs to activate the BlueTooth interface and to confirm the datas acceptance.

But there is also a lot of people who consciously or unconsciously use BlueTooth without Hidden mode.

A groupe of people who is doing this on purpose is basicly hoping to be jacked. And what about the rest? :) BlueJacking is commonly known as a term for sending datas (vCard, picture) to a random person with a focus on the humour. Someone uses this opportunity for promotion. But there is also a lot of other activities connected to BlueTooth technology. This is an overview of applications for Bluejacking, Bluesnarfing and BlueBugging.

So far there are three BlueTooth versions that differ in output and reach of particular device. The class with output up to 100 mW and reach about 100 m, class 2 with output 2,5 mW and reach up to do 10m (+/-). The third class has the smallest output (up to 1 mW) with the reach about one meter. You also need to diversify the standards. Bluetooth 1.1 or 1.2 (read technology) that operate as well as WiFi in the band 2.4 GHz (ISM band) with the transmission speed around 0.723 MB/s.

linux hacking

As it was writen, increasing the output will extend the reach (up to 100 meters, with the use of an external antenna even 1 km). Bluetooth supports connection of up to 9 devicees. Sharing works within piconet -u where the devicees are coupled on the same channel. The newer technology Bluetooth 2.0 will run around Mbit in a second and can work in a non-switching mode. All devicees so far work on channel hopping mode and 79 channels. There are standardized devicees classes (laptop, desktop, phone, handsfree etc.) and profiles which have their own identification. The best-known are Personal Area Networking, Fax Profile, Handsfree Profile, File Transfer Profile, Serial Port Profile, Synchronization Profile, LAN Access Profile, Service Discovery Application Profile, Intercom Profile, Headset Profile and Dial-Up-Networking Profile (in total around 35 different profiles). Architectura Bluetooth is based on two main protocols, L2CAP and RFCOMM (lined above L2CAP). Similary as in TCP/IP, UDP/IP architecture can even Bluetooth device scan onto open ports and exploit vulnerability in architecture or applications.

Utility

BlueSpam can find every active device and if it supports OBEX it will send the file. In the default configuration it is a small text file. To configurate the message so it can be send you need a Palm device with SD/MMC memory card where you have to create a folder /PALM/programs/BlueSpam/Send/ to save the file there. The format support is wide, even .jpg works. The application activity is recorded in /PALM/programs/BlueSpam/Log/log.txt. The application BlueSpam supports even backfire. In case that Palm is configurated in mode discoverable and connectable BlueSpam will catch every request for connection of a bluetooth device in the reach and will send back defined message onto the device that want to connect.

BTClass allows to change Bluetooth Device Class for PalmOS interface. By this possibility can be Palm device changed into printer or PC. The application works even on non Bluetooth Palm devicees where it detects and displays references on Bluetooth Device Classes.

btIO is a simple tool (from the same author as the program btCrawler) for mode change (Bluetooth Mode Switcher). It is controled by the icon in the tray. It runs on Pocket PC 2003 or higher, Windows Mobile 5 and 6 Pocket PC with Microsoft Bluetooth Stackem. Even version for Smartphone is available.

BtIO interface

Download btIO. There are available all versions including the instruction for application installation on the page.

BlueTooth Security Audit

BlueHell is a tool for testing the bluetooth interface safety.

BleuHell interface

BlueTest is a script for mobile phone writen in Perl language. It can get datas from vulnerable Bluetooth devicees. It can find the device, ping, bind interface, get information about the device, download the phone book and sms (only Nokia 6310i is supported), get the called phone numbers, missed and incoming calls, make a call. Download BlueTest.

BT Audit pack of applications and scripts for audit. BT Audit is divided into two separate parts. Each for different protocol, PSM_SCAN a RFCOMM_SCAN for PSM and RFOMM channel scanning. Download BT Audit

Blooover II is a tool for audit based on Java (J2ME). It exists in version Blooover II for audit J2ME mobiles and as a breeeder edition. Easy utility for vulnerability testing. It even implements HeloMoto attack (similar to bluebugging). Download Blooover II.

Bluetooth device scanning and sniffing

BlueScanner can detect active Bluetooth device such as mobile phone, active bluetooth in a laptop or PDA. After the interface appears in the ether the application will try to get maximum information about the active hardware. Download BlueScanner (there is even a .deb package).

bluescanner interface

BlueSniff is a grafic tool for detection of discoverable or hiden Bluetooth instruments. Download BlueSniff.

BTBrowser (Bluetooth Browser) is a Java (J2ME) application that allows to brows and discover technical specifications of BlueTooth. It detects and displays information and all available profiles. BTBrowser can be run directly on a mobile phone that supports Java Bluetooth specification JSR-82 Download BTBrowser.

btCrawler is a scanning tool for an device with the operating system Windows Mobile. It scans the surroundings for active interface within the grasp and tests accesible services that are available on the detected device. It directly implements BlueJacking and BlueSnarfing attack. Because of the antihackers principle §202c StGB in Germany any further application development is stoped at this moment.

BTCrawler GUI

The program runs on Windows Mobile with MS Bluetooth Stack (WIDCOMM, Broadcom is not supported). Known platforms that cooperate with the application: Windows Mobile 5, PPC2003, PPC2003SE, Smartphone 2003, Smartphone 2003SE and Smartphone with WM5. Download BTCrawler.

Car Whisperer uses default configuration passkey (PIN) in Bluetooth adapters for an access toinstruments. Concretely car whisperer is focused on connection and tapping of bluetooth handsfree that are commonly used in cars. It can detect even an device in the invisible mode. Video demos tapping bluetooth handsfree v BLOGu. Download car whisperer.

This Linux application is controled by the console. Raw files are available in the folder of the application.

./carwhisperer hci0 neco.raw out.raw mac

Not every Bluetooth set uses default PIN (the contrary is a random password generating). The application uses Linux BlueZ

Greenplaque is a scanning tool inspired with RedFangem by Ollie Whitehouse (the latest version needs Affix). The tool is also a part of Bluediving suite.

RedFang proof-of-concept application for detecting hiden BlueTooth device by brute force atact on last six bajts Bluetooth device address and read_remote_name(). The application is in BlueDiving suite

Hacking, cracking Bluetooth devices

BlueBugger exploits vulnerability known as BlueBug. BlueBug stands for several vulnerabilities that were found in few mobile phones.

Exploitation of some vulnerabilities allows to get the control and the unauthorized access into the list of calls in the mobile phone, phone book or other personal information. Download BlueBugger.

CIHWB (Can I Hack With Bluetooth) is a Bluetooth security framework for audit. The application is assigned for Windows Mobile 2005 PocketPC. At this moment it implements only few exploits and BlueSnarf tools, BlueJack and three DoS attacks. Download CIHWB.

Bluediving is a full-value penetrating suite for BlueTooth vulnerability testing. At this moment it is the best tool at all. It implements tools such as BlueSnarf, BlueSnarf++, BlueBug, BlueSmack. Tools included in this suite allow spoofing of Bluetooth address (analogy of MAC spoofing), AT and RFCOMM socket shell. Next tools in the pack are bss, carwhisperer, L2CAP packet generator, resetator of connection, RFCOMM scanner and greenplaque sscanning mode.

Bluediving GUI

Picture comments: yes you are right :) It is the first known and functional compilation of the application Bluediving under Ubuntu (for better availability all tutorials are writen on Ubuntu, as well as tutorial Hacking WiFi nets). Servis scanning on available BlueTooth device by Bleudiving application

Bleudiving scan services

Tools included in the pack Bluediving for exploitaci vulnerabilities BlueTooth

Exploiting BlueTooth

Scan before BlueJacking

Bluejacking scan

Picture sent to mobile phone by BlueDiving application

airdump.net bluejacking

Configuration file (where you even have to set if you want to send vCard or like a vCrad picture – bluejacking

<!–
BluedivingNG config file
–>
#
<!– Device –>
hci0
#
<!– Where to keep logs? –>
/var/log/bluediving/
main.log
#
<!– How many seconds to wait before starting
a new scan in loop mode –>
5
#
<!– Play sounds? 1 == true / 0 == false –>
0
#
<!– My WAV file (for new devices found on the air) –>
sounds/explosion.wav
#
<!– My RAW file for carwhisperer –>
sounds/out.raw
#
<!– My nasty vcard –>
vcards/airdump.png
#
<!– The default channel –>
17
#
<!– Default device name –>
airdump.net
#
<!– Default device type (phone|laptop|headset|desktop|apple|carkit) –>
<!– You can also specify a hex number –>
phone
#
#
<!– Should the device be visible? 1 == true / 0 == false –>
0
#
<!– scanning mode – hcitool or greenplaque (default: hcitool) –>
greenplaque
#
<!– Where to find the tools –>
/usr/sbin/hciconfig
/usr/bin/hcitool
/usr/bin/sdptool
/usr/bin/l2ping
/usr/bin/rfcomm
/usr/bin/obexftp
/usr/bin/mpg123
/usr/bin/sox
/usr/bin/play
#
tools/rfcomm_shell
tools/btobex
tools/btftp
tools/hstest
tools/attest
tools/atshell
tools/bdaddr
tools/redfang
tools/greenplaque
tools/carwhisperer
tools/bss
tools/l2cap-packet
tools/bccmd
tools/hcidump-crash
tools/l2cap_headersize_overflow

Download Bluediving. On the page are mentioned even dependences.

T-BEAR (Transient Bluetooth Environment Auditor) is a security platform for audit of active Bluetooth interfaces. The platfrom associates tools for browsing, sniffing and cracking. Download T-BEAR.

Bluesnarfer can get the phone book from any mobile device that is vulnerable to Bluesnarfing atack. Bluesnarfing is a security mistake that can be found in most of the mobile phones with Bluetooth. If the phone is vulnerable it can be coupled without users alert and you can get the access to saved datas. Download Bluesnarfer.

BlueSmack is a script for DoS (Denial of Service) atack on Bluetooth device. The script is included in the Bluediving pack

BTcrack is an application with an implementation brute force attack. The speed on which it works on P4 is 200.000 keys per one second. It supports several modes for getting the access. The application is able to reconstruct pass key (or link key from catched datas switch that runs at device jointing. For catching the datas it is necessary a professional device or USB BlueToothe device that supports RAW mode. Crack BT PIN is described on the page of research experts Avishai Wool and Yaniv Shaked MobySys. Download BTcrack.

BTcrack GUI

Basic tools for BlueTooth configuration

Detection of BlueToothe device

hcitool scan

Getting information

airdump@stage:~$ sudo hcitool info 00:11:22:33:44:55
Requesting information …
BD Address: 00:11:22:33:44:55
Device Name: NODE
LMP Version: 2.0 (0x3) LMP Subversion: 0x4176
Manufacturer: Broadcom Corporation (15)
Features: 0xff 0xff 0x8d 0xfe 0x9b 0xf9 0x00 0x80
<3-slot packets> <5-slot packets>
<3-slot EDR ACL> <5-slot EDR ACL>
<3-slot EDR eSCO>

Useful tools for BlueTooth configuration

BlueTooth is highly configurable on the Linux platform. There is a lot of tools including developer platform and API. Everything is availale for free.

Basic tools that will help you how to control BT interface.

hciattach, hciconfig, hcid, hcidump, hcitool

Possibilities of hcidump

airdump@eon:~$ sudo hcidump –help
HCI sniffer – Bluetooth packet analyzer ver 1.41
Usage: hcidump [OPTION…] [filter]
-i, –device=hci_dev HCI device
-l, –snap-len=len Snap len (in bytes)
-p, –psm=psm Default PSM
-m, –manufacturer=compid Default manufacturer
-w, –save-dump=file Save dump to a file
-r, –read-dump=file Read dump from a file
-s, –send-dump=host Send dump to a host
-n, –recv-dump=host Receive dump on a host
-d, –wait-dump=host Wait on a host and send
-t, –ts Display time stamps
-a, –ascii Dump data in ascii
-x, –hex Dump data in hex
-X, –ext Dump data in hex and ascii
-R, –raw Dump raw data
-C, –cmtp=psm PSM for CMTP
-H, –hcrp=psm PSM for HCRP
-O, –obex=channel Channel for OBEX
-P, –ppp=channel Channel for PPP
-D, –pppdump=file Extract PPP traffic
-A, –audio=file Extract SCO audio data
-B, –btsnoop Use BTSnoop file format
-V, –verbose Verbose decoding
-Y, –novendor No vendor commands or events
-N, –noappend No appending to existing files
-4, –ipv4 Use IPv4 as transport
-6 –ipv6 Use IPv6 as transport
-h, –help Give this help list
–usage Give a short usage message

All commands that are within hcitool available can be obtained by sending hcitool in console

airdump@stage:~$ hcitool
hcitool – HCI Tool ver 3.29
Usage:
hcitool [options] [command parameters]
Options:
–help Display help
-i dev HCI device
Commands:
dev Display local devices
inq Inquire remote devices
scan Scan for remote devices
name Get name from remote device
info Get information from remote device
spinq Start periodic inquiry
epinq Exit periodic inquiry
cmd Submit arbitrary HCI commands
con Display active connections
cc Create connection to remote device
dc Disconnect from remote device
sr Switch master/slave role
cpt Change connection packet type
rssi Display connection RSSI
lq Display link quality
tpl Display transmit power level
afh Display AFH channel map
lst Set/display link supervision timeout
auth Request authentication
enc Set connection encryption
key Change connection link key
clkoff Read clock offset
clock Read local or remote clock

BlueTooth Interface Configuration

Configuration discovery and device detection

hciconfig hci0

Every BlueTooth device has assigned a so called class. The command for finding out the class is

hciconfig hci0 class

Change of Class device

hciconfig hci0 class 0x0000

Values of Class 0x50204 for mobile phone, 0x180204 for laptop etc.

Commands for configuration by hciconfig

hciconfig – HCI device configuration utility
Usage:
hciconfig
hciconfig [-a] hciX [command]
Commands:
up Open and initialize HCI device
down Close HCI device
reset Reset HCI device
rstat Reset statistic counters
auth Enable Authentication
noauth Disable Authentication
encrypt Enable Encryption
noencrypt Disable Encryption
secmgr Enable Security Manager
nosecmgr Disable Security Manager
piscan Enable Page and Inquiry scan
noscan Disable scan
iscan Enable Inquiry scan
pscan Enable Page scan
ptype [type] Get/Set default packet type
lm [mode] Get/Set default link mode
lp [policy] Get/Set default link policy
name [name] Get/Set local name
class [class] Get/Set class of device
voice [voice] Get/Set voice setting
iac [iac] Get/Set inquiry access code
inqtpl [level] Get/Set inquiry transmit power level
inqmode [mode] Get/Set inquiry mode
inqdata [data] Get/Set inquiry data
inqtype [type] Get/Set inquiry scan type
inqparms [win:int] Get/Set inquiry scan window and interval
pageparms [win:int] Get/Set page scan window and interval
pageto [to] Get/Set page timeout
afhmode [mode] Get/Set AFH mode
sspmode [mode] Get/Set Simple Pairing Mode
aclmtu Set ACL MTU and number of packets
scomtu Set SCO MTU and number of packets
putkey Store link key on the device
delkey Delete link key from the device
oobdata Display local OOB data
commands Display supported commands
features Display device features
version Display version information
revision Display revision information

Basic Commands

For the beginning you will need just..

lsusb – detection of the type or device producer
hciconfig hci0 up – for bluetooth device activation
hciconfig -a – for detection of services and information about your own device
hcitool scan hci0 – for ether scan
sdptool browse bd_addr – fingerprint available devicees

External Links

Information database about mobile devicees is on page btdsd. Complex page about BlueTooth technology is trifinite. Basic tools for BlueTooth configuration in Linux distributions is BlueZ.

Similar Posts: