The beauty of Bluetooth hacking is that it gives you a clear window into the world of the target. Nearly every device has Bluetooth capabilities now, and people store a great deal of personal information on their phones and tablets. If we can hack their Bluetooth connection, we can access all of that great information stored on their device!
Of course, it goes without saying that we have to be in fairly close proximity to hack Bluetooth. As I mentioned in my guide on terms, technologies, and security, the Bluetooth protocol has a minimum range of 10 m (32 ft) and can actually extend as far as 100 m (320 ft) with some adapters. That should be enough to reach everyone in a coffee shop, your school classroom, your office, and maybe even into your neighbor's house.
The Importance of Reconnaissance
Like all attacks, whether computer-based or military field operations, reconnaissance is critical. Without good recon, your chances of success are severely diminished, or in some cases, nil. In all cases, success increases exponentially the more you know about your target. So in this tutorial, I will show you several ways to do recon on a potential target.
Before continuing on below, I strongly suggest you familiarize yourself with the Bluetooth terms, technologies, and security, as well as the MultiBlue Dongle, a specialized tool for hacking Bluetooth. Although you need physical access to the target device with MultiBlue, it clearly demonstrates what can be done when you have enough information and tools. Furthermore, you might find this article interesting, which shows how Elliot hacked a prison to release prisoners in the hit show, Mr. Robot.
Using Bluez for Bluetooth Reconnaissance
BlueZ is the default Bluetooth protocol stack in nearly every version of Linux, including our Kali Linux that is built on Debian. BlueZ was also the default Bluetooth stack on both Mac OS X and Android until recently.
This implementation of the Bluetooth protocol has numerous tools built in that we can use for recon, and since they are in nearly every distribution and flavor of Linux, they can be used by pretty much all of you. (We will also use some specialized tools for Bluetooth recon in Kali.)
Step 1: Fire Up Kali
Let's start by firing up Kali and opening a command prompt. I hope it goes without saying that you need a Linux-compatible Bluetooth adapter to continue from here.
Step 2: Use Hciconfig to Enable Your Bluetooth Adapter
The first step is to check whether our Bluetooth adapter is recognized and enabled. We can do this with a built-in BlueZ tool called hciconfig:
kali > hciconfig
As you can see in this screenshot, we do have a Bluetooth adapter that has a MAC address of 10:AE:60:58:F1:37. The Bluetooth stack has named it "hci0." Now, let's make certain it is up and enabled:
kali > hciconfig hci0 up
Good, hci0 is up and ready to work!
Step 3: Scan for Bluetooth Devices with Hcitool
The BlueZ stack also has some excellent command line (cli) tools for scanning for Bluetooth devices. These are in located in hcitool. Let's first use the scanning portion of this tool to look for Bluetooth devices that are sending out their discover beacons (in discovery mode). Type:
kali > hcitool scan
In the screenshot above, you can see it found two devices, ANDROID BT and SCH-I535. Now, let's try the inquiry (inq) command in hcitool to garner more information about these devices:
kali > hcitool inq
Note that it also displays clock offset and the class. The class indicates what type of Bluetooth device it is, and we can look up the code by going to the Service Discovery webpage on the Bluetooth SIG site to see what type of device it is. Or, as we will see later, some tools will do this for us.
Hcitool is a powerful command line interface to the Bluetooth stack that can do many, many things. In the screenshot below, you can see some of the commands that it can execute. Many of the Bluetooth-hacking tools that we will be using in future tutorials simply use these commands in a script. You can easily create your own tool by using these commands in your own script.
Step 4: Scan for Services with Sdptool
Service discovery protocol (SDP) is a Bluetooth protocol for searching for services. BlueZ has a tool called sdptool that is capable of browsing a device for the services it provides. We can use it by typing:
kali > sdptool browse <MAC Address>
Here we can see that this tool was able to pull information on all the services this device is capable of using.
Step 5: Determine Whether Bluetooth Devices Are Reachable with L2ping
Now that we have the MAC addresses of all the nearby devices, we can ping them, whether they are in discover mode or not, to see whether they are in reach.
kali > l2ping <MAC address>
This indicates that the device with a the MAC address 76:6F:46:65:72:67 is within range and reachable.
Step 6: Scan for Bluetooth Devices with BTScanner
For those of you who are more comfortable with a GUI-based tool, Kali has BTScanner. Simply type:
kali > btscanner
When you type in BTScanner, it opens a rudimentary GUI interface with commands along the bottom. To do an inquiry scan, simply type the letter "i" on your keyboard. In this case, BTScanner found the two that I found with hcitool, as well as an additional one, MINIJAMBOX.
To gather more information about the device, simply place the cursor over the device and hit Enter on your keyboard. It will then display all of the information it has gathered about the device, similar to sdptool.
In this case, this is the information about the SCH-I535 device. Notice about a third of the way down the screen, under class, it identifies it as a "Phone/Smart phone" from its class number, 0x5a020c.
Step 7: Bluetooth Sniffing with BlueMaho
We have still another tool in Kali we can use for Bluetooth scanning, called BlueMaho, an integrated Bluetooth scanning/hacking tool. Here we will simply use it for scanning. You can start BlueMaho's elegant GUI by typing:
kali > bluemaho.py
When you do, it opens a GUI like that below. Here, I have clicked on the "get SDP info" and hit the play button to the left. BlueMaho begins scanning for discoverable devices, and like the other tools, it finds two Bluetooth devices.
In the bottom window, BlueMaho displays more info from the scanned devices. I have copied that info and placed it into a text file to make it easier for you to read:
Note that it displays the name of the first device "MINIJAMBOX" and then describes the device type as "Audio/Video, Headset profile." The second device is identified as "SCH-I535," and we are told its device type is "Phone, Smart phone."
Now, that we know how to gather information on the Bluetooth devices in our range, we will begin hacking those devices in Bluetooth Hacking, Part 3. There we will use this information and knowledge to execute the BlueBourne exploit against nearly any Bluetooth enabled device!