Bluetooth Hacking: Case Study
Harshil Shah
New York Institute of Technology
hshah31@nyit.edu
Abstract
This paper briefly describes the
protocol architecture of
Bluetooth, different kinds of
attack on Bluetooth enabled
devices and mitigation
techniques. Several types of
attacks are described.
Keywords
Bluetooth, Bluetooth hacking,
bluesnarfer, bluejacking, bluesniping
Introduction
Bluetooth is one of the wireless
technologies which are widely used
these days. Bluetooth is standard
communication protocol for short
range communications. Bluetooth
operates in the range of 2.4GHz.
Cellphones, computers, PDAs and
headsets are a few devices that
commonly use Bluetooth for
synchronizing email, playing music,
sending phone data. Bluehacking,
bluejacking, bluesnarfing and
bluesnafting are attacks that can be
done over Bluetooth.
Bluetooth Protocols
L2CAP: It is used to multiplex multiple
logical connections between two
devices using different higher level
protocols.
RFCOMM: Its a transport protocol
used by Bluetooth devices that need
reliable stream based transport,
analogous to TCP. This protocol is
commonly used to emulate serial
ports, send AT commands to phones
and to transport files over OBEX
protocol.
Object Exchange Protocol (OBEX):
Its a vendor independent program
which allows devices to transfer file
objects like business cards, data files
or calendar information. Its a higher
layer protocol which runs on different
OS.
There are several other protocols
along with adopted protocols which
are used over Bluetooth.
Figure: 1 Bluetooth Protocol Stack (Source
Tutorial-Reports.com)
: Mode
3: It protects devices from
certain type of intrusions.
Bluetooth Security
Bluetooth defines three security
modes. All Bluetooth services have a
default set level of security. Some
services require authorization and
authentication and some of not.
Mode 1: It provides no security
enforcement, which means the
device doesnt take any steps to
protect it.
Mode 2: In this mode specific
application might be safe but no
additional protection is added.
Type of Attacks
There are different kinds of attacks
that can be employed against
Bluetooth devices like blujacking,
bluesnarfing, bluebugging,
bluelogging, bluedumping and car
whisperer.
One should note that
Bluetooth range is limited from 10m to
100m. So attacker needs to be in
range of the Bluetooth device.
Some of the common attacks on
Bluetooth devices are mentioned here.
Bluebugging: Bluebugging is
powerful attack mechanism, which
takes control of the target phone and
allows attacker to make calls, send
text messages, read messages and
accessing and modifying phonebook. It
also allows an attacker to connect to
internet, forwarding a call and much
more.
takes advantage of poor
implementation of trusted devices
handling on some phones. The
attacker pretends to send vCard to an
unauthenticated OBEX Push Profile on
the targets phone. Once the attack
started, the attacker interrupts the
transfer process and then victim list it
as trusted device.
Bluejacking: Bluejacking is about
sending unsolicited message to open
Bluetooth devices by sending a vCard
with a message in the name field and
exploiting the OBEX Protocol.
Bluelogging: It is just used to detect
Bluetooth traffic over the air and
identifies details about the
discoverable devices nearby.
Bluesnarfing: In this attack attacker
finds target Bluetooth which is in
discoverable mode. It works by a
connection to most of the Object Push
Profile services and the attacker
receives file names. Hacker can
retrieve items like phonebook,
calendar and other personal
information.
Helomoto: This attack first found on
Motorola phones, therefore it named
as Helomoto. Similar to the
Bluebugging attack, but here attacker
Project Discoveries:
Using different tools, information
about target Bluetooth device can be
gathered. Here in this project, tools
like bluesnarfer, btscanner and
blumaho are used.
Bluesnarfer
To use bluesnarfer we need to create
specific environment.
After creating environment we can use
some tools to read phone directory.
Most of the new generation devices
are not vulnerable to bluesnarfer or
any type of Bluetooth hack.
Some of the devices like Nokia 6310i,
Sony Ericson W800i phones are
vulnerable to be hacked by these
tools.
Pinging Target Device
Bluesnarfer Commands
Bluemanho
Using bluemaho we can get
MAC Address(bt_addr) of the
bluetooth device.
Also previous name of the
bluetooth device can be seen
here.
Sdptools
Using sdptools we can get
Service Name
Protocol Descriptor List
Service RecHandle
Profile Descriptor List
Service Class ID List
Mitigating Attacks on Bluetooth
Do not leave Bluetooth devices
in discoverable mode.
o Active discovery tools
requires that devices be
in discoverable mode to
be identified, the attacker
targets devices that
responds to inquiry
requests because they
are easy to identify.
Use Bluetooth Keyboards which
uses encryption and
authentication to encrypt and
send data to the computer.
o To mitigate the threat of
passive Bluetooth
keyboard eavesdropping,
avoid using the HID boot
mode mechanism that
sends traffic in plaintext.
Users should use Secure Simple
Pairing instead of legacy PIN
authentication for the pairing
exchange process to mitigate
PIN cracking attacks.
By manipulating Bluetooth
friendly names, an attacker can
have many opportunities
ranging from possibility to
manipulate users in a social
engineering attack to a full
target compromise.
Conclusion:
Information gathering of the
Bluetooth enabled devices is
easy.
Android and Apple devices are
not vulnerable to Bluetooth
hack because of secure
authentication system.
Nokia 6310i and Sony Ericson
W800i phones are still
vulnerable to bluesnarfer type
of tools. But, these devices are
hard to find in the market.
Still sniffing of the Bluetooth
devices is possible with certain
tools.
Bluetooth Keyboards which
transfer data as plaintext are
vulnerable to be hacked.
References:
1. JOHNNY CACHE, JOSHUA
WRIGHT, VINCENT LIU. Hacking
Additional Wireless
Technologies Hacking Exposed
Wireless: Wireless Security
Secrets & Solutions, 2nd ed.
2. Dennis Browning, Gary C.
Kessler. Bluetooth Hacking: A
Case Study. ADFSL Conference
on Digital Forensics, Security
and Law, 2009
3. Bluetooth (2015, May 04).
Wikipedia. Retrieved from
http://en.wikipedia.org/wiki/Blue
tooth
4. Bluetooth Core Specification
Addendum 1
5. Amit Saini, Akansha Marwah.
Amateurs Hack System
Professionals Hack Cars
6. Sil Janssens. Preliminary study:
BLUETOOTH SECURITY
7. Jing Su, Kelvin K. W. Chan,
Andrew G. Miklas, Kenneth Po,
Ali Akhavan, Stefan Saroiu, Eyal
de Lara, Ashvin Goel. A
Preliminary Investigation of
Worm Infections in a Bluetooth
Environment
8. John Padgette, Karen Scarfone,
Lily Chen. Guide to Bluetooth
Security, Recommendations of
the National Institute of
Standards and Technology
9. http://www.backtracklinux.org/forums/showthread.ph
p?t=5637
10.http://mirror.opennmsedu.net/pub/ftp.ccc.de/pub/cong
ress/2004/papers/066%20Bluet
ooth%20Hacking.pdf
11.http://hackyogi.com/top-5bluetooth-hacking-tools/