BlueTooth Hacking. The text will be continuously completed with pictures and links for download. BlueTooth is a great technology that is implemented in several mobile apparatus. For communication with other apparatus no cable is necessary and there is a lot of applications dedicated directly for Bluetooth. As well as in the case with WiFi there is not necessary a cable for connecting two apparatuses. Expansion of Symbian based mobile phones will probably bring into this sector many new possibilities. This technology has a lot of advantages but has as well a great potential to deprive the mobile phone owner of his datas. Most of the mobile phones today needs to activate the BlueTooth interface and to confirm the datas acceptance. But there is also a lot of people who consciously or unconsciously use BlueTooth without Hidden mode. A groupe of people who is doing this on purpose is basicly hoping to be jacked. And what about the rest? :) BlueJacking is commonly known as a term for sending datas (vCard, picture) to a random person with a focus on the humour. Someone uses this opportunity for promotion. But there is also a lot of other activities connected to BlueTooth technology. This is an overview of applications for Bluejacking, Bluesnarfing and BlueBugging.
So far there are three BlueTooth versions that differ in output and reach of particular apparatus. The class with output up to 100 mW and reach about 100 m, class 2 with output 2,5 mW and reach up to do 10m (+/-). The third class has the smallest output (up to 1 mW) with the reach about one meter. You also need to diversify the standards. Bluetooth 1.1 or 1.2 (read technology) that operate as well as WiFi in the band 2.4 GHz (ISM band) with the transmission speed around 0.723 MB/s. As it was writen, increasing the output will extend the reach (up to 100 meters, with the use of an external antenna even 1 km). Bluetooth supports connection of up to 9 apparatuses. Sharing works within piconet -u where the apparatuses are coupled on the same channel. The newer technology Bluetooth 2.0 will run around Mbit in a second and can work in a non-switching mode. All apparatuses so far work on channel hopping mode and 79 channels. There are standardized apparatuses classes (laptop, desktop, phone, handsfree etc.) and profiles which have their own identification. The best-known are Personal Area Networking, Fax Profile, Handsfree Profile, File Transfer Profile, Serial Port Profile, Synchronization Profile, LAN Access Profile, Service Discovery Application Profile, Intercom Profile, Headset Profile and Dial-Up-Networking Profile (in total around 35 different profiles). Architectura Bluetooth is based on two main protocols, L2CAP and RFCOMM (lined above L2CAP). Similary as in TCP/IP, UDP/IP architecture can even Bluetooth apparatus scan onto open ports and exploit vulnerability in architecture or applications.
Utility
BlueSpam can find every active apparatus and if it supports OBEX it will send the file. In the default configuration it is a small text file. To configurate the message so it can be send you need a Palm apparatus with SD/MMC memory card where you have to create a folder /PALM/programs/BlueSpam/Send/ to save the file there. The format support is wide, even .jpg works. The application activity is recorded in /PALM/programs/BlueSpam/Log/log.txt. The application BlueSpam supports even backfire. In case that Palm is configurated in mode discoverable and connectable BlueSpam will catch every request for connection of a bluetooth apparatus in the reach and will send back defined message onto the apparatus that want to connect.
BTClass allows to change Bluetooth Device Class for PalmOS interface. By this possibility can be Palm apparatus changed into printer or PC. The application works even on non Bluetooth Palm apparatuses where it detects and displays references on Bluetooth Device Classes.
btIO is a simple tool (from the same author as the program btCrawler) for mode change (Bluetooth Mode Switcher). It is controled by the icon in the tray. It runs on Pocket PC 2003 or higher, Windows Mobile 5 and 6 Pocket PC with Microsoft Bluetooth Stackem. Even version for Smartphone is available.
Download btIO. There are available all versions including the instruction for application installation on the page.
BlueTooth Security Audit
BlueHell is a tool for testing the bluetooth interface safety.
BlueTest is a script for mobile phone writen in Perl language. It can get datas from vulnerable Bluetooth apparatuses. It can find the apparatus, ping, bind interface, get information about the apparatus, download the phone book and sms (only Nokia 6310i is supported), get the called phone numbers, missed and incoming calls, make a call. Download BlueTest.
BT Audit pack of applications and scripts for audit. BT Audit is divided into two separate parts. Each for different protocol, PSM_SCAN a RFCOMM_SCAN for PSM and RFOMM channel scanning. Download BT Audit
Blooover II is a tool for audit based on Java (J2ME). It exists in version Blooover II for audit J2ME mobiles and as a breeeder edition. Easy utility for vulnerability testing. It even implements HeloMoto attack (similar to bluebugging). Download Blooover II.
Bluetooth apparatus scanning and sniffing
BlueScanner can detect active Bluetooth apparatus such as mobile phone, active bluetooth in a laptop or PDA. After the interface appears in the ether the application will try to get maximum information about the active hardware. Download BlueScanner (there is even a .deb package).
BlueSniff is a grafic tool for detection of discoverable or hiden Bluetooth instruments. Download BlueSniff.
BTBrowser (Bluetooth Browser) is a Java (J2ME) application that allows to brows and discover technical specifications of BlueTooth. It detects and displays information and all available profiles. BTBrowser can be run directly on a mobile phone that supports Java Bluetooth specification JSR-82 Download BTBrowser.
btCrawler is a scanning tool for an apparatus with the operating system Windows Mobile. It scans the surroundings for active interface within the grasp and tests accesible services that are available on the detected apparatus. It directly implements BlueJacking and BlueSnarfing attack. Because of the antihackers principle ยง202c StGB in Germany any further application development is stoped at this moment.
The program runs on Windows Mobile with MS Bluetooth Stack (WIDCOMM, Broadcom is not supported). Known platforms that cooperate with the application: Windows Mobile 5, PPC2003, PPC2003SE, Smartphone 2003, Smartphone 2003SE and Smartphone with WM5. Download BTCrawler.
Car Whisperer uses default configuration passkey (PIN) in Bluetooth adapters for an access toinstruments. Concretely car whisperer is focused on connection and tapping of bluetooth handsfree that are commonly used in cars. It can detect even an apparatus in the invisible mode. Video demos tapping bluetooth handsfree v BLOGu. Download car whisperer.
This Linux application is controled by the console. Raw files are available in the folder of the application.
./carwhisperer hci0 neco.raw out.raw mac
Not every Bluetooth set uses default PIN (the contrary is a random password generating). The application uses Linux BlueZ
Greenplaque is a scanning tool inspired with RedFangem by Ollie Whitehouse (the latest version needs Affix). The tool is also a part of Bluediving suite.
RedFang proof-of-concept application for detecting hiden BlueTooth apparatus by brute force atact on last six bajts Bluetooth apparatus address and read_remote_name(). The application is in BlueDiving suite
Hacking, cracking Bluetooth apparatus
BlueBugger exploits vulnerability known as BlueBug. BlueBug stands for several vulnerabilities that were found in few mobile phones. Exploitation of some vulnerabilities allows to get the control and the unauthorized access into the list of calls in the mobile phone, phone book or other personal information. Download BlueBugger.
CIHWB (Can I Hack With Bluetooth) is a Bluetooth security framework for audit. The application is assigned for Windows Mobile 2005 PocketPC. At this moment it implements only few exploits and BlueSnarf tools, BlueJack and three DoS attacks. Download CIHWB.
Bluediving is a full-value penetrating suite for BlueTooth vulnerability testing. At this moment it is the best tool at all. It implements tools such as BlueSnarf, BlueSnarf++, BlueBug, BlueSmack. Tools included in this suite allow spoofing of Bluetooth address (analogy of MAC spoofing), AT and RFCOMM socket shell. Next tools in the pack are bss, carwhisperer, L2CAP packet generator, resetator of connection, RFCOMM scanner and greenplaque sscanning mode.
Picture comments: yes you are right :) It is the first known and functional compilation of the application Bluediving under Ubuntu (for better availability all tutorials are writen on Ubuntu, as well as tutorial Hacking WiFi nets). Servis scanning on available BlueTooth apparatus by Bleudiving application
Tools included in the pack Bluediving for exploitaci vulnerabilities BlueTooth
Scan before BlueJacking
Picture sent to mobile phone by BlueDiving application
Configuration file (where you even have to set if you want to send vCard or like a vCrad picture - bluejacking
<?xml version="1.0" ?>
<!--
BluedivingNG config file
-->
<config>
<!-- Device -->
<device>hci0</device>
<!-- Where to keep logs? -->
<logdir>/var/log/bluediving/</logdir>
<logfile>main.log</logfile>
<!-- How many seconds to wait before starting
a new scan in loop mode -->
<loop_timeout>5</loop_timeout>
<!-- Play sounds? 1 == true / 0 == false -->
<play_sound>0</play_sound>
<!-- My WAV file (for new devices found on the air) -->
<sound_file>sounds/explosion.wav</sound_file>
<!-- My RAW file for carwhisperer -->
<raw_file>sounds/out.raw</raw_file>
<!-- My nasty vcard -->
<vcard>vcards/airdump.png</vcard>
<!-- The default channel -->
<channel>17</channel>
<!-- Default device name -->
<device_name>airdump.net</device_name>
<!-- Default device type (phone|laptop|headset|desktop|apple|carkit) -->
<!-- You can also specify a hex number -->
<device_type>phone</device_type>
<!-- Should the device be visible? 1 == true / 0 == false -->
<device_visibility>0</device_visibility>
<!-- scanning mode - hcitool or greenplaque (default: hcitool) -->
<scan_mode>greenplaque</scan_mode>
<!-- Where to find the tools -->
<hciconfig>/usr/sbin/hciconfig</hciconfig>
<hcitool>/usr/bin/hcitool</hcitool>
<sdptool>/usr/bin/sdptool</sdptool>
<l2ping>/usr/bin/l2ping</l2ping>
<rfcomm>/usr/bin/rfcomm</rfcomm>
<obexftp>/usr/bin/obexftp</obexftp>
<mpg123>/usr/bin/mpg123</mpg123>
<sox>/usr/bin/sox</sox>
<play>/usr/bin/play</play>
<rfcomm_shell>tools/rfcomm_shell</rfcomm_shell>
<btobex>tools/btobex</btobex>
<btftp>tools/btftp</btftp>
<hstest>tools/hstest</hstest>
<attest>tools/attest</attest>
<atshell>tools/atshell</atshell>
<change_btaddr>tools/bdaddr</change_btaddr>
<redfang>tools/redfang</redfang>
<greenplaque>tools/greenplaque</greenplaque>
<carwhisperer>tools/carwhisperer</carwhisperer>
<bss>tools/bss</bss>
<l2cappacket>tools/l2cap-packet</l2cappacket>
<bccmd>tools/bccmd</bccmd>
<hcidump_crash>tools/hcidump-crash</hcidump_crash>
<l2cap_headersize_overflow>tools/l2cap_headersize_overflow</l2cap_headersize_overflow>
Download Bluediving. On the page are mentioned even dependences.
T-BEAR (Transient Bluetooth Environment Auditor) is a security platform for audit of active Bluetooth interfaces. The platfrom associates tools for browsing, sniffing and cracking. Download T-BEAR.
Bluesnarfer can get the phone book from any mobile apparatus that is vulnerable to Bluesnarfing atack. Bluesnarfing is a security mistake that can be found in most of the mobile phones with Bluetooth. If the phone is vulnerable it can be coupled without users alert and you can get the access to saved datas. Download Bluesnarfer.
BlueSmack is a script for DoS (Denial of Service) atack on Bluetooth apparatus. The script is included in the Bluediving pack
BTcrack is an application with an implementation brute force attack. The speed on which it works on P4 is 200.000 keys per one second. It supports several modes for getting the access. The application is able to reconstruct pass key (or link key from catched datas switch that runs at apparatus jointing. For catching the datas it is necessary a professional apparatus or USB BlueToothe apparatus that supports RAW mode. Crack BT PIN is described on the page of research experts Avishai Wool and Yaniv Shaked MobySys. Download BTcrack.
Basic tools for BlueTooth configuration
Detection of BlueToothe apparatus
hcitool scan
Getting information
airdump@stage:~$ sudo hcitool info 00:11:22:33:44:55
Requesting information ...
BD Address: 00:11:22:33:44:55
Device Name: NODE
LMP Version: 2.0 (0x3) LMP Subversion: 0x4176
Manufacturer: Broadcom Corporation (15)
Features: 0xff 0xff 0x8d 0xfe 0x9b 0xf9 0x00 0x80
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <hold mode> <sniff mode>
<park state> <RSSI> <channel quality> <SCO link> <HV2 packets>
<HV3 packets> <u-law log> <A-law log> <CVSD> <power control>
<transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps>
<EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan>
<interlaced pscan> <inquiry with RSSI> <extended SCO>
<EV4 packets> <EV5 packets> <AFH cap. slave>
<AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL>
<AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps>
<EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended features>
Useful tools for BlueTooth configuration
BlueTooth is highly configurable on the Linux platform. There is a lot of tools including developer platform and API. Everything is availale for free.
Basic tools that will help you how to control BT interface.
hciattach, hciconfig, hcid, hcidump, hcitool
Possibilities of hcidump
airdump@eon:~$ sudo hcidump --help
HCI sniffer - Bluetooth packet analyzer ver 1.41
Usage: hcidump [OPTION...] [filter]
-i, --device=hci_dev HCI device
-l, --snap-len=len Snap len (in bytes)
-p, --psm=psm Default PSM
-m, --manufacturer=compid Default manufacturer
-w, --save-dump=file Save dump to a file
-r, --read-dump=file Read dump from a file
-s, --send-dump=host Send dump to a host
-n, --recv-dump=host Receive dump on a host
-d, --wait-dump=host Wait on a host and send
-t, --ts Display time stamps
-a, --ascii Dump data in ascii
-x, --hex Dump data in hex
-X, --ext Dump data in hex and ascii
-R, --raw Dump raw data
-C, --cmtp=psm PSM for CMTP
-H, --hcrp=psm PSM for HCRP
-O, --obex=channel Channel for OBEX
-P, --ppp=channel Channel for PPP
-D, --pppdump=file Extract PPP traffic
-A, --audio=file Extract SCO audio data
-B, --btsnoop Use BTSnoop file format
-V, --verbose Verbose decoding
-Y, --novendor No vendor commands or events
-N, --noappend No appending to existing files
-4, --ipv4 Use IPv4 as transport
-6 --ipv6 Use IPv6 as transport
-h, --help Give this help list
--usage Give a short usage message
All commands that are within hcitool available can be obtained by sending hcitool in console
airdump@stage:~$ hcitool
hcitool - HCI Tool ver 3.29
Usage:
hcitool [options]
Options:
--help Display help
-i dev HCI device
Commands:
dev Display local devices
inq Inquire remote devices
scan Scan for remote devices
name Get name from remote device
info Get information from remote device
spinq Start periodic inquiry
epinq Exit periodic inquiry
cmd Submit arbitrary HCI commands
con Display active connections
cc Create connection to remote device
dc Disconnect from remote device
sr Switch master/slave role
cpt Change connection packet type
rssi Display connection RSSI
lq Display link quality
tpl Display transmit power level
afh Display AFH channel map
lst Set/display link supervision timeout
auth Request authentication
enc Set connection encryption
key Change connection link key
clkoff Read clock offset
clock Read local or remote clock
BlueTooth Interface Configuration
Configuration discovery and apparatus detection
hciconfig hci0
Every BlueTooth apparatus has assigned a so called class. The command for finding out the class is
hciconfig hci0 class
Change of Class apparatus
hciconfig hci0 class 0x0000
Values of Class 0x50204 for mobile phone, 0x180204 for laptop etc.
Commands for configuration by hciconfig
hciconfig - HCI device configuration utility
Usage:
hciconfig
hciconfig [-a] hciX [command]
Commands:
up Open and initialize HCI device
down Close HCI device
reset Reset HCI device
rstat Reset statistic counters
auth Enable Authentication
noauth Disable Authentication
encrypt Enable Encryption
noencrypt Disable Encryption
secmgr Enable Security Manager
nosecmgr Disable Security Manager
piscan Enable Page and Inquiry scan
noscan Disable scan
iscan Enable Inquiry scan
pscan Enable Page scan
ptype [type] Get/Set default packet type
lm [mode] Get/Set default link mode
lp [policy] Get/Set default link policy
name [name] Get/Set local name
class [class] Get/Set class of device
voice [voice] Get/Set voice setting
iac [iac] Get/Set inquiry access code
inqtpl [level] Get/Set inquiry transmit power level
inqmode [mode] Get/Set inquiry mode
inqdata [data] Get/Set inquiry data
inqtype [type] Get/Set inquiry scan type
inqparms [win:int] Get/Set inquiry scan window and interval
pageparms [win:int] Get/Set page scan window and interval
pageto [to] Get/Set page timeout
afhmode [mode] Get/Set AFH mode
sspmode [mode] Get/Set Simple Pairing Mode
aclmtu
scomtu
putkey
delkey
oobdata Display local OOB data
commands Display supported commands
features Display device features
version Display version information
revision Display revision information
Basic Commands
For the beginning you will need just..
lsusb - detection of the type or apparatus producer
hciconfig hci0 up - for bluetooth apparatus activation
hciconfig -a - for detection of services and information about your own apparatus
hcitool scan hci0 - for ether scan
sdptool browse bd_addr - fingerprint available apparatuses
External Links
Information database about mobile apparatuses is on page btdsd. Complex page about BlueTooth technology is trifinite. Basic tools for BlueTooth configuration in Linux distributions is BlueZ.