Anonymity Bluetooth Security.

[Fixxx]

Developers are making Bluetooth more secure every year but it's still vulnerable as I'll show in this article. So today we will talk about the following topics:

1. Bluetooth basics.
2. Main Linux tools for working with Bluetooth.
3. Bluetooth protocol stack.
4. Bluetooth security.
5. Bluetooth hacking tools in Kali.
6. Several Bluetooth attacks.

Bluetooth Basics.​

Bluetooth is a common low-energy protocol for short-range communication operating in the 2.4-2.485 GHz extended spectrum range. The signal frequency changes abruptly at a rate of 1600 hops per second (done for security purposes). Bluetooth was developed in the 90s by Ericsson and is named after King Harald Bluetooth of Denmark. The minimum distance at which Bluetooth can work is 10 meters but developers can increase this range on their devices without limitation. Most devices can communicate with each other even at a distance of 100 meters. Using antennas can further extend the range. Pairing is the process of connecting two Bluetooth devices. Two devices supporting this protocol can be connected to each other without any issues. All visible Bluetooth devices transmit information such as:

• Name
• Class
• List of services
• Technical information

Two paired devices exchange a secret link key. Each device stores this key for recognizing the other. All devices have a unique 48-bit identifier (similar to a MAC address) and a name assigned by the manufacturer. A diagram of the Bluetooth pairing process:

The so-called piconet is a network where there is one main and up to seven additional devices. The protocol constantly changes frequency (1600 times per second) so one device doesn't interfere with others. The chance of two devices operating on the same frequency is extremely low.

Main Linux tools for working with Bluetooth.​

The implementation of the Bluetooth protocol stack in Linux is called BlueZ. It's usually installed in Linux distributions by default or it can be found in repository. All the tools are included in BlueZ. These tools include:

• hciconfig: This tool is similar to ifconfig in Linux but provides information only about Bluetooth devices.
• hcitool: This tool is for data inquiry. It provides a lot of information such as the device name, identifier, class and clock signal.
• hcidump: This tool is my favorite - it simply captures all Bluetooth communications.

Bluetooth devices are not required to use all protocols in the stack (e.g., TCP/IP). The Bluetooth stack is designed to allow various communication applications to use Bluetooth for their purposes. A program will use only one vertical slice of this stack. Next are the Bluetooth protocols:

• Main Bluetooth Protocols: LMP, L2CAP, SDP.
• Cable Replacement Protocol: RFCOMM.
• Telephony Control Protocol: TCS Binary, AT-commands.
• Borrowed Protocols: PPP, UDP/TCP/IP, OBEX, WAP, vCard, vCal, IrMC, WAE.

In addition to protocol layers the Bluetooth specification also defines a Host-Controller Interface (HCI). It provides a command interface for communication with the baseband controller, link manager and access to hardware status and control registers. That's why these tools are named as such: hciconfig, hcidump and hcitool.

Bluetooth Security.​

Bluetooth security is based on several principles. The first is the abrupt frequency change. The frequency change algorithm is available to the master and slave devices but not to third parties. The second is the secret key; devices exchange it during pairing. It's used for authentication and encryption (128-bit). There are only a few Bluetooth security modes. More details about them:

• Security Mode 1: Active protection is disabled.
• Security Mode 2: Service-level protection. Authentication, configuration and authorization are managed by a centralized security manager. Users cannot activate it themselves. There's no device-level protection.
• Security Mode 3: Device-level protection. Authentication and encryption based on a secret key. Always enabled. Enforces protection for low-level connections.

Bluetooth hacking tools in Kali.​

As we know, Kali has several tools for Bluetooth hacking. But some we may have to find and download. To find out which tools for working with Bluetooth are already installed and ready to use, open Applications > Kali Linux > Wireless Attacks > Bluetooth Tools.

• Spooftooph: A tool for Bluetooth spoofing.
• Redfang: This tool finds hidden Bluetooth devices.
• Btscanner: This tool with a graphical interface scans visible devices within the working range.
• Bluemaho: A set of tools with a graphical interface for testing the security of Bluetooth devices.
• Bluelog: A tool that finds Bluetooth devices. It scans the area around you for visible devices and stores them in a file.
• Blueranger: A simple Python script that uses i2cap signals to detect Bluetooth devices and determine the distance to them.

Several Bluetooth Attacks.​

• Bluesmack: A DoS attack against Bluetooth devices.
• Blueprinting: The process of footprinting (network mapping).
• Bluebugging: This attack gives all control over the target phone. An application called Bloover was developed for automatic execution of this attack.
• Bluejacking: The attacker sends "business card" to the victim. After the user adds it to their contacts, you can receive and send additional messages.
• Bluesnarfing: This attack steals data from a Bluetooth-supporting device. Includes messages, calendar information, images, address book and chats.

That's it! Additionly, you can also read another article about Bluetooth Vulnerabilities.