Bluetooth Hacking 101

The Bluetooth protocol is widely deployed in electronic devices such as:

  • laptops
  • wireless speakers
  • wireless headsets
  • smartphones
  • car audio system
  • tablets handhelds
  • smart watches
  • IoT devices
  • kitchen appliances and toothbrushes

Few are even thinking and considered Bluetooth to be a security risk.  
The Bluetooth standard came to existence by the Bluetooth Special Interest Group.

Bluetooth Special Interest Group

The Bluetooth Special Interest consist of more than 1000 companies including Motorola, Intel, Siemens, Ericsson and Toshiba.
Bluetooth is IEEE standardized as IEEE 802.15.1.
It is very user friendly and easy to use Bluetooth.
You can simple discover nearby devices within range with just a press of a button.

Bluetooth is described as a near field communication (only limited to range) operating at 2.4 to 2.485 GHz.
It uses spread spectrum frequency which can hop at 1600 hops per second.
Spread spectrum frequency hopping means that the signal is hopping between frequencies in a specific range.

Bluetooth units have a 48 bit identifier assigned from the factory by the manufacturer.

This can be compared to a MAC address on a network adapter card.

10th Century Danish King Harald Bluetooth (Harald Blaatand)

Another history detail on Bluetooth is that the name comes from the a 10th century Danish King Harald Bluetooth.

He united all the different tribes in Denmark.
The same with Bluetooth it unites communication protocols from multiple devices.
There have been other stories about the king had a bad blue tooth or that he often was wearing blue clothes.

A common myth about Bluetooth is that it is limited to maximum range of ten meters.
That is only true for Bluetooth 3.0

There are more versions of Bluetooth

  • 3.0 - 25 Mbit/s 10 meters (33 ft)
  • 4.0 - 25 Mbit/s 60 meters (200 ft)
  • 5.0 - 50 Mbit/s 240 meters (800 ft)

Bluetooth works as a layered protocol architecture.
Because of this layers of protocols being used.
The mandatory protocol are: 

  • L2CAP, LMP and SDP.
  • L2CAP: Logical Link Control & Adapter Protcol. Used for multiplexing multiple connections bewtween devices.
  • LMP: Link Management Protocol. Used to set up and control communication link between devices.
  • SDP: Service Directory Protocol. How multiple devices find out what services each offers.
  • RFCOMM: Radio Frequency Communications. Provides a data stream. Could be compared to a virtual serial data stream.
  • BNEP: Bluetooth Network Encapsulation Protocol. Used to transfer other protocols ove rthe L2CAP channel. Encapsulating the other protocol.
  • AVCTP: Audio/Video Control Transport Protocol. ed for audio visual transfer control commands over L2CAP channel.
  • HCI: Host Controller Interface. Used as standardized communication between the host stack operating system and controller Bluetooth circuit
  • OBEX: Object Exchange is used to the transfer of binary objects between devices. Designed for infrared originally but now used by Bluetooth.
  • Used for accesing printing, phonebooks and other features for using RFCOMM communiticaion.

Bluetooth protocol stack image

The Bluetooth special interest group latest unveiled Bluetooth 5.0 in London on 16th June 2016.
Version 5.0 of Bluetooth is targeted for Internet of Things (IoT) devices.

When two devices are being paired over Bluetooth they change much information such as device name, list of services.
Bluetooth security is defined by four modes.
It depends on your device the level of security based on which security mode it uses.

Following Bluetooth security modes

Security Mode 1 is non-secure no security at all

Security Mode 2 controls certain service access and deploys a security manager.

It only works after a link is established.
In security Mode 2 there are several levels to deploy. 

  • Level 1: means open to all devices and is even the default level.
  • Level 2: Only allowed with authentication.
  • Level 3: Required Authentication and PIN number must be entered.

Security Mode 3
initiates security measures before any connection is established.
Supporting authentication and encryption.
NIST considers this the most secure.

Security Mode 4
This requires authenticated links but as in security mode 2 it only initiates encryption and authentication after a link is established.
And by this makes it less secure.

Now that it is clear some of the weakness identified in Bluetooth how can an black hat cracker/hacker attack it?

There are several vulnerabilities in Bluetooth and attacks that can be exploited.

Some misconceptions are though to be addresses.
It is not like in the movies and on TV that forced pairing can be done to any device.
This is only possible if the device is quite outdated.

Popular Bluetooth attacks do exist such as

  • Bluesnipping: A variant of the popular Bluesnarfing. Working on longer ranges and released at Defcon back in 2004.
  • Bluesnarfing: Is a bundle of attacks where the attacker attempts to get data from a phone with Bluetooth enabled.
  • Bluejacking: Is by sending unsolicited data over Bluetooth to a phone. This can be used to sent instant messages.
  • Bluesmacking: A popular Denial of Service (DoS) where the target gets flooded by packets.
  • Bluebugging: Remote access to the phones features. Similar to Bluesnarfing but the goal is not to get data but instead activate features.
  • Bluesniffing: Similar to War driving. The black hat attacker tries to find Bluetooth devices to attack later on.
  • Blueprinting: Enumeration information getting the name from the target and other sensitive information to base other attacks on.

Bluetooth can also be enabled on laptops by default rendering them open to attacks.
Most users are not even aware that their new laptops have Bluetooth enabled by default.

Even secure organisations that are blocking other attack factors such as USB, DVD, Network file transfer but completely forget about Bluetooth.

Bluetooth Security Pen Testing Hacking Tools

There are several Bluetooth auditing tools for Smart phones such as Android, iPhone that can easily identify nearby vulnerable devices.

Other tools are available that allows to scan for Bluetooth and even attempt to hack in the Bluetooth.

Often Penetration testers will have a whole arsenal of tools and techniques for hacking Bluetooth.

There are also several high powered Bluetooth devices that allows to connect from far away.

Some other popular Bluetooth tools

  • Blue Sniff
  • Blue Alert
  • BT Audit
  • CIHwBT
  • btscanner
  • Bloover II
  • Bluediving
  • btCrawler
  • Bluesnarfer
  • BH BlueJack
  • Bluescanner
  • PhoneSnoop

Bluetooth security

Hacking of Bluetooth is becoming more popular as seen with WiFi hacking the earlier days.

It is more profitable for Blackhat hackers to target Bluetooth enabled devices.

Due to the high focus developed on Bluetooth hacking more tools and vulnerabilities will come out in the future.

Hackers are constantly reverse engineering Bluetooth to discover new zero day vulnerabilities that can be exploited.