When BlueTooth was first introduced in 1994 by Ericcson Corporation of Sweden, it was very insecure. Hackers could steal information and send unsolicited messages to the unsuspecting.
In recent years, additional security has been built-in to the protocol and much of the IT security industry has sat back and said, "Its fixed and unhackable". On the other hand, I maintain that BlueTooth is and will remain one of the most vulnerable protocols, making all our data on our BlueTooth-enabled devices vulnerable to being hacked. That is precisely why I began this series on BlueTooth hacking.
Although you have likely used BlueTooth and are familiar with it, I suggest you read my first two articles in this series to familiarize yourself with the BlueTooth protocol, its security and how to do reconnaissance on BlueTooth devices.
In recent days, Armis Security has released a number exploits against unpatched BlueTooth devices. You can read more about it here. These exploits are capable of attacking iOS (but not iOS 10), Microsoft Windows, and Android. In the last month, nearly every company has issued patches, but for a number of reasons many Android systems are still unpatched.
The exploit attacks the SDP protocol of the BlueTooth stack (see below). The exploit masquerades as a BlueTooth device and is able to exploit vulnerabilities in SDP. The BlueTooth device does not even need to be in discover mode, it only needs to ON. Since BlueTooth has access to the inner sanctum of the kernel, nearly everything is vulnerable.
In this tutorial, we will look at how to extract data from an unpatched BlueTooth device using the BlueBorne exploit.
Step #1 Getting Started
The first step of course is to have a unpatched device. I will be using an older LG phone I keep in my lab just for this purpose.
Of course, you will need a BlueTooth adapter to communicate to your target. There are a number of BlueTooth adapters that are Linux compatible, but I will be using one from Pluggable that is Plug-n-Play compatible with our Kali Linux operating system.
Next, we need to install the dependencies into our Kali system.
kali > apt-get install bluetooth libbluetooth-dev
kali > pip install pybluez
kali > pip install pwntools
Step #2 Install the Python Script
Although Armis developed these exploits, they have not released them to the public. Fortunately, a security researcher has developed a python script based upon the Armis research. You can find it at github.com. Simply clone it into your system as below.
kali > git clone https://github.com/ojasookert/CVE-2017-0785
After cloning it, you will see a new directory created, CVE-2017-0785.
Navigate to that directory and do a long listing (ls -l). You will see a README.md file and the python script CVE-2017-0785.py
kali > cd CVE-2017-0785
You will need to give yourself execute permissions on this script.
kali > chmod 755 CVE-2017-0785.py
Step #3 Get the MAC address of the Target
Now that we have our dependencies met and installed the Python script, the only left to be done is to obtain the MAC address of the target system. As I demonstrated in BlueTooth Hacking, Part 2, we can scan for BlueTooth devices with the hcitool.
kali > hcitool scan
This utility will go out and scan for any available BlueTooth devices within range. As you can see, it found my LG phone. I have obscured the MAC address to protect the innocent.
Step #4 Execute the BlueBourne Exploit
Now, we have everything we need to exploit the BlueTooth device and extract it's memory. To run the exploit, we simply enter python, the name of the script and TARGET= followed by the mac address of the target system.
kali > python CVE-2017-785.py TARGET=<MAC ADDRESS of Target>
The python script has exploited the target and removed the first 30 bytes from memory! Of course, we can edit the script to extract even more memory.
BlueTooth hacking has been a relatively quiet field for a number of years, but I expect it to heat up now, making all our mobile devices vulnerable.
Keep coming back to Hackers-Arise for the latest on BlueTooth Hacking!