Bluetooth is a universal protocol for low power, near field communication operating at 2.4 – 2.485 GHz using spread spectrum, frequency hopping at 1,600 hops per second (this frequency hopping is a security measure). It was developed in 1994 by Ericsson Corp. of Sweden and named after the 10th century Danish (Sweden and Denmark were a single country in the 10th century) King Harald Bluetooth.
There is no restriction on the Bluetooth range that manufacturers may use in their products; the minimum specification is 10 meters. The ranges of several gadgets can reach 100 meters. We can increase the range even further by using specialized antennas.
When two Bluetooth devices connect, this is referred to as pairing. Nearly any two Bluetooth devices can connect to each other. Any discoverable Bluetooth device transmits the following information:
List of services
A pre-shared secret or connection key is exchanged when the two devices pair. For future pairings, each keeps this link key to recognize the other. Every device has a distinct 48-bit identifier (a MAC-like address) and typically a name given to it by the manufacturer.
Below is a diagram of the Bluetooth pairing process. Although much more secure in recent years, it is still vulnerable..
To hack a Bluetooth-connected device, the hackers need to be within the range of the device. Since the Bluetooth devices have a small range, people think that they can’t be attacked. However, Bluetooth attacks also happen.
An attack can enter the range of the device, find a vulnerability, and exploit it to eavesdrop the device.
Some Bluetooth Attacks
To find a Bluetooth device in range, you need to use some tools for scanning. Kali Linux comes with some built-in tools that allows scanning of networks. You don’t need to install additional third-party tools.
The in-built tools for Bluetooth scanning include hciconfig, hcitool, sdptool, btscanner, and l2ping. These can be used to detect the active Bluetooth devices in range.
It is a typical Bluetooth attack that some individuals utilize as practical jokes. Although it is not a significant assault, hackers exploit it to bombard the infected smartphones with spam messages. Bluejacking prevents hackers from accessing a Bluetooth-connected device or the data on it.
This is a serious Bluetooth attack that allows hackers to access the device and data on it. Bluesnarfing can be carried out even if users have enabled the undiscoverable mode.
By compromising a device with Bluesnarfing, hackers can copy the data on the device, including photos, phone numbers, emails, etc. However, if users keep their devices non-discoverable, it becomes a bit difficult for the hackers to identify the model and name of the device.
Through Bluebugging, the hackers can access the compromised device and monitor the phone calls, emails, messages, and browse the internet. They can also make phone calls without letting the users know about it. Such attacks happen mostly on outdated models of the devices.
Bluetooth Hacking Tool in Kali
Kali once had several Bluetooth hacking tools built-in. In Kali 2020 we are down to just one, spooftooth. This doesn’t mean there are not others. There are several in the Kali repository and on github.com. We will be using many of these in future tutorials.
Let’s take brief look at some of the other Bluetooth hacking tools.
Bluelog: A bluetooth site survey tool. It scans the area to find as many discoverable devices in the area and then logs them to a file.
Bluemaho: A GUI-based suite of tools for testing the security of Bluetooth devices.
Blueranger: A simple Python script that uses i2cap pings to locate Bluetooth devices and determine their approximate distances.
Btscanner: This GUI-based tool scans for discoverable devices within range.
Redfang: This tool enables us to find hidden Bluetooth device.
Spooftooph: This is a Bluetooth spoofing tool.