Posts: 751 Location: USA Joined: 17.12.07 Rank: God
Posted on 24-03-18 01:26
So a while back someone posted in the shoutbox asking about good resources regarding hacking bluetooth. I've never really looked into bluetooth, but I figured it couldn't be too different from WiFi (which I have spent a bunch of time messing with) so I decided to look around a bit. Turns out I was super wrong. Three thousand pages later it turns out I couldn't be more wrong. Go figure. Anyway, I delved a bit deeper and found some pretty cool historic attacks thought it'd be neat to drop the links here and see if we could drum up some conversation. Maybe if anyone's interested we could work on mocking up and running the PoCs to see how they work and such. I dunno. Worst case someone sees something cool that they didn't know before.
- Anyway, first up is BlueBorne: a suite of attacks ranging from info disclosure and MitM to full-blown unauthenticated, connectionless, over-the-air, root RCE (on some systems. Regular RCE on others). And this is from earlier last year. Holy crap. Their technical whitepaper has tons of background info on Bluetooth and very good descriptions of the vulns themselves. A super cool read.
- Next we've got the slightly-less-exciting-yet-infinitely-more-approachable network-level attack against this garbage IoT device. Using an Ubertooth One to watch traffic between the device their mobile device allowed them to do some nasty things. Turns out safe companies don't know how to write software. Go figure. Also worth noting: more of a hack using bluetooth than a "bluetooth hack". I still count it.
- And, finally, a rather old overview of the general landscape (at the time) from a prestigious security conference in Germany.
As a general info point, a lot of these examples were found pivoting off of MITRE's CVE database, a pretty neat tool for tracking a searching through known vulnerabilities. While it's kind of tough getting the actual exploit of technical details from the site itself, it's a good enough starting point.
So what do you guys think? Is this something any of you would be interested in pursuing? I can continue dumping links as I come across them or get a firmware blob from a listed device or... I dunno? Start working on a fuzzer for some of the internal communication structures?
Posts: 2017 Location: Scotland Joined: 20.02.08 Rank: God
Posted on 24-03-18 17:35
Bluetooth hacking is something I've never really looked into, I've always meant to, but just never got around to it.
It's one of the few things on my phone that I never ever use, apart from when connecting to a bluetooth speaker.
And considering about 95% of all the pwning I do these days, is done solely from my android phone, I feel a tiny bit ashamed for neglecting bluetooth so badly, so count me in man.