The Bluetooth Team has been working hard all semester and has finally finished testing with all bluetooth tools. This semester has been challenging for everyone as we learned about Bluetooth and its vulnerabilities. Our team has gained a lot of insight into the realities of modern Bluetooth security, using tools such as Econocom Digital Security’s Btlejuice, Pwnie Express’s BlueHydra, and the L2ping command within the Linux Bluez library.
Using Btlejuice had many difficult hurdles to overcome when working with it. The goal of using Btlejuice was to be able to intercept bluetooth packets (specifically GATTs) when it was being broadcast, and be able to use that information to control the bluetooth device. Some of the problems we faced as a team was Btlejuice did not working well with Firefox. It had trouble picking up devices consistently. The creator of Btlejuice, Damien Caquil, stated that it works best with Chrome. We tried installing Chrome but we were not able to install it onto our Kali distribution, so we had to resort to Chromium, which unfortunately did not fix our connection problems either.
Figure 1: Network diagram of the actual configuration the team encountered
Figure 1 above is a diagram of the setup we had when using Btlejuice. The proxy is facilitating the Bluetooth connections and the web proxy is supposed to view the intercepted data. The problem we encountered (see letter A) was when our Schlage Smart Sense Lock was connected to the proxy was that the proxy would not relay back to the iPad and thus no information could be intercepted coming from the iPad. We have also demonstrated that the Smart Sense Lock will not send data to the proxy if it’s locked or unlocked status as evidenced by the fact that even when using the keypad or the turn lever to open the lock we did not intercept that information.
Figure 2: Network diagram of the ideal configuration
In the above Figure 2, one can see the ideal process by which the proxy is supposed to work. It acts as a relay and any commands going to or from the controller or device will be intercepted by the proxy, captured, and then sent on to its destination. Letter A shows how the proxy is relaying information back and forth to both devices while letter B shows that the hci0 device is connected to the Smart Lock itself.
Initially, we wanted to use Bluehydra to find information about bluetooth devices in the area. Specifically, we wanted to determine the range of each device in an attempt to potentially track an individual around a building based on the location of their Bluetooth device. However, the team was never able to get this feature of BlueHydra to work. Conversely, the team was able to get important information on visible devices such as their MAC address, device name, Bluetooth version, and the device manufacturer. It was vital to obtain this information about our Bluetooth devices so that we could exploit them using the other tools in our vulnerability assessment repertoire, such as Btlejuice and L2Ping.
We first discovered L2ping as a means of detecting if a device was transmitting so we could begin testing. We discovered “Bluesmack”, the term used to describe the malicious use of L2ping command, shortly after and began testing its effectiveness against devices ranging from bluetooth keyboards to a Macbook Pro. Our testing revealed that L2ping’s effectiveness was varied in terms of the devices it could be used against. L2ping could completely shut down a smartwatch or keyboard, but in turn, could not cause any noticeable disruption to a larger device such as a laptop.