Bluetooth
Bluetooth is a widely-used wireless communication protocol that is used in a variety of IoT applications, including wearables, smart homes, and industrial automation. Bluetooth is designed to be low-power and low-latency, making it ideal for use in devices that require real-time communication.
Bluetooth at a glance
Bluetooth is a wireless networking protocol that is commonly used for short-range communication between devices.
The protocol is designed for use in a range of different applications, including mobile devices, smart homes, and IoT.
Bluetooth operates in the unlicensed 2.4 GHz frequency band, and supports various data rates and transmission ranges.
The protocol uses a client-server architecture, with a central master device that manages communication with multiple slave devices.
Bluetooth security
Bluetooth uses various security mechanisms to protect against attacks, including encryption, authentication, and access control.
Bluetooth devices use symmetric encryption to protect data in transit, with keys that are generated and shared between devices.
Devices are also authenticated using a pairing process that involves exchanging passkeys or using a previously shared key.
Some Bluetooth devices support additional security features, such as device whitelisting and role-based access control, to limit access to sensitive data.
Bluetooth attacks
Eavesdropping attacks can occur if an attacker intercepts Bluetooth traffic between devices, allowing them to read or modify the contents of messages being transmitted.
Man-in-the-middle attacks can occur if an attacker intercepts and modifies Bluetooth traffic between devices, potentially causing unexpected behavior in the network.
DoS attacks can occur if an attacker floods the network with traffic, preventing legitimate devices from communicating with each other.
Bluetooth also includes various mechanisms to protect against these types of attacks, including frequency hopping, encryption, and authentication.
BlueZ - Reconnaissance
BlueZ, a built-in protocol stack for Linux-based systems, equips users with default tools for Bluetooth reconnaissance. These tools are readily available on every Linux system, making them accessible to attackers with basic command skills. To carry out Bluetooth reconnaissance, attackers employ BlueZ tools in the following manner:
Verify Bluetooth Device Configuration:
Utilize "hciconfig," the default BlueZ tool, to confirm the detection and activation of the Bluetooth device. Typically, the device with the name hci0 and its MAC address is detected. Execute the command:
Scan for Pairable Bluetooth Devices:
Keep the attacker's Bluetooth device active and scan for other Bluetooth devices that are transmitting pairing signals using the following command:
Display Further Information About Pairable Devices:
Once pairable devices are identified, use the following command to reveal additional details about the discovered devices, including their class and clock offset:
Use the Service Discovery Protocol (SDP) Tool for Service Scanning:
Employ "sdptool," an efficient tool for searching the services offered by a device, with the following syntax:
Verify Device Reachability with L2ping:
Armed with the MAC addresses of available devices, the attacker can ping them to assess their reachability or discoverability using the "l2ping" tool. The syntax for this is:
BtleJack - Btlejacking
The Btlejacking can be utalize as follows:
Select Target Devices
This command instructs BtleJack to target specific devices connected to /dev/ttyACM0 and /dev/ttyACM2, enabling surveillance.
Positioning:
Position yourself within a 5-meter radius of the target devices.
Capture Bluetooth Low Energy (BLE) Connections:
To sniff an existing connection:
To sniff new connections:
Jamming Operation:
Once a connection is captured, initiate a jamming operation using this command: The command initiates a jamming operation (with -j) on the specified channel (0x129f3244), disrupting the targeted connection.
Hijack the Connection:
This command initiates the hijacking process (with -t) on the specified channel (0x9c68fd30) and sets a mask (0x1fffffffff) for selecting packets to intercept and manipulate.
Convert Captured Data to Pcap Format:
The captured data can be transformed into the pcap format with the following command:
Crackle - Crack BLE
Crackle is a tool that exploits a vulnerability in the BLE (Bluetooth Low Energy) pairing process, enabling an attacker to swiftly guess or brute force the temporary key (TK). Once obtained, the TK, along with other data gathered during the pairing process, can be used to derive the short-term key (STK) and subsequently the long-term key (LTK). Having the STK and LTK at their disposal, an attacker gains the ability to decrypt all communications between the master and slave devices.
Crackle operates in two distinct modes:
1. Crack TK Mode:
In this mode, Crackle is employed during the pairing phase of BLE, where it attempts to brute force the TK.
Command:
Explanation: Crackle scans for active connections and identifies vulnerable connections for exploitation. Once vulnerabilities are determined, the tool proceeds with the cracking process.
To decrypt encrypted pcap data, the following command is used with the "-o" option:
2. Decryption Using LTK:
This mode requires an LTK value (a 128-character hexadecimal number) and a PCAP file containing LL_ENC_REQ and LL_ENC_RSP packets to unlock encrypted data.
Command:
Explanation: Crackle is employed to verify the presence of required data within the specified file, indicating the availability of encrypted packets that can be decrypted.
To decrypt these packets and save them in a PCAP file, the following command is used with the "-o" option:
Last updated