Bluetooth

BlueZ has changed a lot lately and bluetooth is not in centre of community interest lately so guides are becoming outdated and harder to find. Also I did not find (but I also did not search intesively so maybe fault is on my side) any comprehensive documentation about nowadays state of Bluez, or bluez-utils respectively. I summed up my observation into this wiki entry, maybe somebody will find something helpful here.

All possible notes written below are only hints meant for penetration testing and security enhancing and are not meant as primer to any illegal action in any way.

• hciconfig
• sdptool

• bluetoothctl

is nice control program which is part of bluez-utils and is described as development and debugging utility for BT protocol stack. It can be run by just typing bluetoothctl into console (of course you need to first initiate bluetooth daemon)

abilities:

• power - controls device on/off state
• scan - on/off scanning for devices
• visibility, pairablility, etc.. - none of my interest..
• info - nice function, you need to use device “bt address” (analog of mac address in case of normal network) as argument. Then it shows you everything which is known about that device - listening obex ports included.. - can basicaly slightly substitute sdptool in this case

Basically typical BT devices which are nowadays mounted into PC are not accustomed to be used to just scan ether and send all informations to PC, but just informs PC of things whitch radio finds somehow interesting or important or are requested. 1 This means that basically nowadays I do not know about simple way how to put ordinary BT device into monitor mode. Solution for this problem is Ubertooth2 which is specially crafted hardware for this (and also bunch of other) purpose. Then through sequence of SW you can basically get it running in a way that you can basicaly create kismet dump, which you can then interpret in wireshark.3

There is a nice page (hope it still works, if not, i'll try to paste it somewhere else) which basically sums up situation in problematics in 2005 (so it's pretty outdated, but probably usable when some older device comes into range)4, Then there is github repository owned by pwnieexpress, which was not managed from 2012, but keeps relatively long list of source code to various newer or older hacks.5 some other information can be found spread around internet, but basically many traces of original idea or notes can be found through links which are present in pwnieexpress repository readme files. From list of exploits which are named in above sources few looked interesting.

• bluejacking, bluesnarfing etc - working on older devices which have bad implementation of BT protocol, or ommit some security measures. Usage is nicely explained on BT linux forum 6. They are probably useless for newer devices.
• HID attacks - those can be probably easiest to fruitify - basically you should be able to intercept BT keyboard in manner that you can send your own commands through this interface or you can take aquistion of communication.
• carwhisperer - I have no idea how actual this SW really is, but people ussually change their mobile phone more often than their cars. It should be able to record communication in car or in opposite direction play some nice audio in vehicle.

[1] https://ask.wireshark.org/questions/15837/what-equipment-can-i-use-to-capture-bluetooth-packets#answer-container-15838

[2] https://greatscottgadgets.com/ubertoothone/

[3] https://wiki.wireshark.org/CaptureSetup/Bluetooth

[4] http://www.eetimes.com/document.asp?doc_id=1275730

[5] https://github.com/pwnieexpress/pwn_plug_sources/tree/master/src/bluetooth

[6] http://www.backtrack-linux.org/forums/showthread.php?t=5637&s=f59f4f7919b89e8c9d16773560795863