(Note: The below Article does not belong to me, so use it on your own risk!)
A tutorial I wrote a long time back for neworder group :-) The fundamentals of Bluetooth Security still remain same. Read on
This manual aims at enabling all people know the Pandora?s box in their very own pocket and know how it works! Mobile Phone Bluetooth enabled
Bluetooth, as we all know is a method for wirelessly transmitting the data over networks. Nowadays, it?s more seen in mobile phones. In India after the Cell phone revolution almost all people are now switching over to Bluetooth enabled cell phones to make their lives easier by allowing free transmission of data in a comfortable range and gaming etc. to the owner.
It is relatively better than Infrared (the one in your TV remote), operates on low power, and is a low cost technology with no usage charges. So no reason that it won?T be popular!
However in the mind of a hacker the ways to intrude keep germinating. As I said nothing is unbreakable! Bluetooth too. So before this cranky lecture gets over your nerves, I start the real thing.
It has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted (?paired?) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be ?backed up? to an attacker?s own system.
A good attacker generally creates a serial profile connection to the device, for obtaining full access to the AT command set( the same commands that connect your modem the internet although different for BT phones), which can then be exploited using tools freely available online, such as PPP for networking and messaging, contact management(deletion and addition), diverts and initiating calls, connect to data services such as the Internet through GPRS, and even monitor conversations in the vicinity of the phone. This latter is done via a voice call over the GSM network, so the attacker can be anywhere in the world. Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, making the innocent owner?s incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for identity theft by impersonation of the victim. Hackers are getting smart. So should be you
The Indian context
He can even use that for transferring the balance on his cash card by transferring it from yours! (This is the exploit I discovered recently in the biggest GSM company in India while I was playing around with Bluetooth)
Bluetooth devices are classified among three classes
Class 1 – Range=high, up to 100 meters
Class 2 – Range=Medium, up to 10 meters
Class 3 – Range =low, very much within 10
We are dealing with Class 2 and 3 devices.
Every Bluetooth-enabled device has some characteristics that are either unique (Bluetooth device address), manufacturer specific (the first part of the Bluetooth device address) or model-specific (service description records).
Bluetooth Device Address
Bluetooth device address is something like IP address, unique for each device set. This address consists out of 6 bytes (looks like MAC addresses MM:MM:MM:XX:XX:XX). This address can also be understood as hardware address that is written in the ROM in the chipset of the device. The first three bytes of this address (the M-bytes in the above notation sample) tell us about the manufacturer of the Device. This is the first step to know about the device?s properties . @stake?s redfang tool does this. Unfortunately, it is not possible to tell upon the number range of the address part of the device address (the X-bytes in the above notation sample) which model it is.
Service Discovery Protocol Records
Each Bluetooth device that accepts communication from other Bluetooth devices announces its offered services through a service discovery protocol (SDP) Its like a profile of the device. So, remote devices can query devices upon the offered capabilities. SDP records are returned to the querying device and hold information on how to access the respective service. My method now hashes certain values from the SDPs and generates a unqiue fingerprint value that is then used to refer to a certain phone model.
Take a look at this SDP
Service Name: OBEX Object Push
Service Handle: 000?10c
Service Class ID list:
?OBEX Object Push (0001cx)
Protocol Descriptor list:
/ from Nokia 6310i
Now the attacker will run ?Blueprint software and obtain the following result:
Device: Nokia 6310i
Version: V 5.22 15-11-200x NP
Type: Mobile phone
Note: Vulnerable to Bluebug attack /* A type of attack
How the attack begins!
First step is to scan all the devices in the range of the phone (here I will limit my manual to mobile phones only) after know whom to bluejack/attack the hacker sends him a message using his Bluejack software on the phone.
This is normally only possible if the device is in ?discoverable? or ?visible? mode, but there are tools available on the Internet that allow even this safety to be bypassed easily.
I have written a program in Perl language for such intrusions. Use it to check your phone?s vulnerability to attacks. I will give you the source later in NH group.
How to send SMS from a hacked phone!
This technique can be used by the attacker to know your mobile phone number by sending SMS to himself. ( now you can think of the consequences, blackmailing etc) .
SMS messages can be sent by using SMS PDUs which are different for each company of the phone.
For Nokia PDU visit the German site www.nobbi.com . The sending of the SMS is not generally visible by the user of the attacked phone. Settings can be made for not generating the delivery reports on the phone. So it makes the sending completely hidden for the hacker
AT+CMGF=0 //Set PDU mode AT+CSMS=0 //Check if modem supports SMS commands AT+CMGS=23 //Send message, 23 octets (excluding the two initial zeros) >0011000B916407281553F80000AA0A
E8329BFD4697D9EC37There are 23 octets in this message (46 ?characters?). The first octet (?00?) doesn?t count, it is only an indicator of the length of the SMSC information supplied (0). The PDU string consists of the following
In the same way a call can be initiated on the hacked phone using AT commands that are freely available on net.
This is how one can start from the scratch and easily attack anyone in the range having a BT enabled phone.
For newbies and script kiddies I have few assorted tools in .SIS format that will do the needful for them. You can have the full package in the NH files section!
But its? always advisable to try out the real programming as it turns on the real hacking spirit in you.
Till the next update, bye!