Bluetooth Spoofing
Summary
Bluetooth spoofing is a type of attack in which an attacker impersonates Bluetooth devices or their identifiers for malicious purposes. The goal of Bluetooth spoofing can vary, but it often involves attempting to deceive or gain unauthorized access to other Bluetooth-enabled devices or networks.
Requirements
- A Bluetooth-enabled Kali Linux computer to perform the attack
- With a CSR Bluetooth Adapter
- Target Bluetooth device
- A Bluetooth-enabled device to monitor if the attack worked
It is important to use a USB Bluetooth adapter from the manufacturer Cambridge Silicon Radio (CSR). Many manufacturers’ chipsets are not supported by the Bluez tool (including Realtek and Broadcom). Bluez is needed to carry out the attack. An unsupported chipset leads to spooftooph’s address spoofing not working, making it impossible to spoof the address. In this case the terminal will only print the message ”Unsupported manufacturer”.
Description
Step 1 - Activate your Bluetooth Interface
First, if using an external Bluetooth dongle, it is necessary to list the USB devices connected to the attacking computer. This can be done with the following command:
lsusb
Then, to look up information about the connected Bluetooth adapter, the command "hciconfig" can be used. This command shows us a few things, including
- That the connected adapter is a USB bus,
- That the adapter is of the type Primary (master),
- The address of the Bluetooth adapter.
hciconfig
To activate the adapter, enter:
sudo hciconfig hci0 up
This command is used to activate or bring up the Bluetooth HCI device with the identifier ”hci0” if it is down. Of course, the identifier can vary, so the one listed when using "hciconfig" should be used.
Step 2 - Gathering Information
"hcitool" is a command-line utility that is part of the BlueZ Bluetooth stack on Linux systems, which provides a way to manage Bluetooth devices and services directly from the command line. For gathering information, the scan function can be used. It shows addresses and names of all available Bluetooth devices in proximity.
sudo hcitool scan
For more information, an inquiry can also be performed. This shows many things, including the device class of Bluetooth devices. At https://domoticx.com/bluetooth-class-of-device-lijst-cod/, for example, it is possible to look up the given device class to see what kind of device a given device is. This information can be used with Spooftooph to even mimic the device class of the target device. If you are only hacking your own devices, you of course have this information, but an attacker has to acquire that information first, unless the device name is very transparent.
sudo hcitool inq
Step 2 - Spoofing
Spooftooph is a tool already pre-installed on Kali. It is a tool designed for Bluetooth device spoofing on Linux systems. It allows users to manipulate Bluetooth device information, such as MAC addresses, device names, and device class.
To spoof the address of a device, the following steps need to be carried out:
- The following command assigns a new given address to hci0. When using a VM, the adapter used is disconnected after executing this command. It has to be manually reconnected. After doing so, continue with the next step.
sudo spooftooph -i hci0 -a [address of target device]
- Display the information about your adapter to check whether the address has been successfully changed:
sudo hciconfig
- Turn the adapter up again after disconnecting:
sudo hciconfig hci0 up
The next step is to make sure the device is discoverable and able to pair with other devices and to spoof the name:
- Open the interface to interacting with the Bluetooth stack:
bluetoothctl
- Turn on your Bluetooth adapter (can be skipped if done before):
power on
- Make the local Bluetooth device discoverable, meaning that it can be seen by other Bluetooth devices during the discovery process:
discoverable on
- Make the local Bluetooth device pairable, allowing it to accept pairing requests from other devices:
pairable on
- Set a new alias for the local Bluetooth controller. This is the step that changes the name of the device as displayed to other devices:
system-alias ’[New Device Name]’
The device used now imitates the chosen target device. If I now wanted to connect to the target device from a different device, I could inadvertently connect to the attacker’s device. The attacker now has several options on what to do with this connection.
Used Hardware
For the execution of this attack,
- a Kali Linux VM,
- an Axxtra Bluetooth Dongle,
- a JBL GO Speaker, and
- an Android Smartphone were used.