While Bluetooth has become a ubiquitous part of our daily lives, a majority remain unaware of its inner workings and, more importantly, its susceptibility to hacking. Delving into the realm of Bluetooth hacking provides a direct glimpse into the target’s world. Given that nearly every device is equipped with Bluetooth capabilities, exploiting this wireless technology could potentially grant access to a wealth of personal information stored on phones and tablets.

Despite Bluetooth and Wi-Fi sharing the same 2.4 GHz frequency, their distinct protocols render them different entities in terms of security. Bluetooth’s heightened security measures make conventional Wi-Fi hacking tools ineffective against it.

One notable feature is the continuous frequency hopping employed by Bluetooth devices. When two devices communicate via Bluetooth, they utilize an algorithm that dynamically shifts the frequency multiple times per second. This constant frequency hopping poses a significant challenge for potential attackers attempting to eavesdrop on the communication.

Additionally, Bluetooth differs from Wi-Fi in how it handles key negotiation. While Wi-Fi negotiates a key with every connection, Bluetooth establishes a key only once during the initial connection. Subsequently, this secret key is stored and referenced for subsequent communications with the same device. Unlike Wi-Fi, this approach makes it virtually impossible for an attacker to passively sniff the key, as they would need to be present during the initial communication.

However, this doesn’t mean Bluetooth is impervious. It is still susceptible to tracking nearby devices, extracting information from them, and even manipulating specific characteristics. Conducting reconnaissance becomes crucial, as it may unveil opportunities to seize control, identify vulnerabilities, or discover potential exploits that align with nearby devices.

Understanding the nuances of Bluetooth technology is vital not only for users but also for those tasked with securing these wireless connections in an ever-evolving digital landscape.

Embarking on Bluetooth surveillance requires a well-equipped setup. Ensure you have an up-to-date installation of Kali Linux, as we’ll leverage its built-in Bluetooth tools for this endeavor. Keeping it streamlined, we won’t be adding any extra tools; the default Bluetooth toolkit in Kali Linux will suffice.

Key tools included in BlueZ, the default Bluetooth protocol stack in most Linux versions, form the foundation of our exploration. Among these, we’ll delve into hciconfig, hcitool, sdptool, l2ping, and btscanner. Additionally, specialized tools tailored for Bluetooth reconnaissance in Kali Linux will be introduced.

Proximity is a critical factor in Bluetooth hacking. Armed with a reliable Bluetooth adapter, you can target devices in various settings — be it a coffee shop, school classroom, office, or even within close proximity of a neighbor’s house. Ensure your Bluetooth adapter is of high quality to maximize the reach of your Bluetooth reconnaissance.

Much like ifconfig serves for Wi-Fi, the counterpart for Bluetooth devices is hciconfig. This tool facilitates the activation of your Bluetooth adapter, serving as the initial step in our reconnaissance journey. Familiarize yourself with hciconfig to set the stage for efficient Bluetooth hacking.

~# hciconfig
hci0     Type: Primary Bus: USB
BD Address: ██:██:██:██:██:██ ACL MTU: 1022:8 SCO MTU: 183.5
RX bytes:574 acl:0 sco:0 events:30 errors:0
TX bytes:368 acl:0 sco:0 commands:30 errors:0

Just as ifconfig is synonymous with Wi-Fi, hciconfig takes the lead for Bluetooth devices. In this guide, we’ll navigate the setup of your Bluetooth interface, an essential precursor for efficient Bluetooth hacking. Observe our example, where the Bluetooth interface is currently inactive (down). Follow these steps to bring it to life and initiate your Bluetooth operations. Suppose you are well-acquainted with ifconfig commands. In that case, adapting to hciconfig will be seamless, as they share a structural resemblance. For instance, if you need to activate a Wi-Fi interface, the command is “ifconfig [interface_name] up”. In the realm of Bluetooth, using hciconfig mirrors this process. Explore the hciconfig man page for a comprehensive list of compatible commands.

The versatility of hciconfig extends beyond mere interface activation; it’s a powerful tool for configuring Bluetooth devices. Whether you have an external Bluetooth device connected, its application encompasses device discovery and configuration. Once familiarized with this aspect, press Q to exit the hciconfig man page. To bring a discovered Bluetooth device online, execute the command `hciconfig [device_name] up`. This step is crucial in preparing the identified Bluetooth device for subsequent operations.

~# hciconfig hci0 up

To see if it worked, run the hciconfig command again:

~# hciconfig
hci0     Type: Primary Bus: USB
BD Address: ██:██:██:██:██:██ ACL MTU: 1022:8 SCO MTU: 183.5
RX bytes:1148 acl:0 sco:0 events:60 errors:0
TX bytes:736 acl:0 sco:0 commands:60 errors:0

Now let’s use hcitool to look for Bluetooth devices that are sending out their discover beacons (in discovery mode). First, let’s check out its man page:

Hcitool proves invaluable in configuring and executing diverse tasks such as scans, inquiries, and name retrieval. However, certain commands necessitate the use of MAC addresses. A fundamental operation is scanning for nearby Bluetooth devices, providing MAC addresses for further inquiries or attempts to extract device names. Initiate a scan with the command hcitool scan. This employs the Bluetooth interface to identify nearby devices, revealing their MAC addresses. This information serves as a gateway for subsequent scans, inquiries, or endeavors to unveil device names.

~# hcitool scan
Scanning ...
00:1D:A5:00:09:1D OBDII

Above, we see an OBD2 connector which is connected to a vehicle. That’s pretty interesting. With the MAC address, we can now we can do another command that required us to have a MAC address in the first place. Let’s try getting the name of the device:

~# hcitool name 00:1D:A5:00:09:1D

That should allow us to get the name of the device, but we already knew it from that first scan. If we didn’t know it, however, it’ll allow us to be able to learn more about it. To learn more, we can use the inq command:

~# hcitool inq 00:1D:A5:00:09:1D
Scanning ...
00:1D:A5:00:09:1D clock offset: 0x21c0 class: ox5a020c

Note that it also displays clock offset and the class. The class indicates what type of Bluetooth device it is, and we can look up the code by going to the Bluetooth site. Or, as we will see later, some tools will do it for us.

Exploring the realm of Bluetooth devices demands a meticulous examination of their services. Meet `sdptool`, a versatile companion crafted for precisely this purpose. This tool empowers users to delve into the intricacies of a device’s services, offering profound insights into its functionalities, both expansive possibilities and inherent constraints. Before embarking on the journey of exploration using `sdptool`, it’s essential to acquaint oneself with its command options and diverse functionalities. A robust grasp of available commands ensures a more nuanced and effective exploration experience. Equipped with this knowledge, seamlessly utilize `sdptool` to unravel the array of services extended by a Bluetooth device. This comprehensive exploration not only unveils the device’s properties but also provides a nuanced understanding, enabling informed reconnaissance and strategic interaction.

Now, equipped with a foundational understanding of `sdptool`, let’s harness its capabilities to delve into the intricacies of service discovery on Bluetooth devices. `sdptool` serves as a versatile tool for configuring, controlling, and interrogating SDP (Service Discovery Protocol) servers. This functionality empowers us to conduct detailed queries on Bluetooth devices, unraveling crucial information about permissions, and gaining insights into potential actions within those services. To embark on this exploration, initiate the command by typing `sdptool browse` followed by the MAC address we previously captured. This command serves as the gateway to a comprehensive understanding of the device’s service landscape, shedding light on permissions, constraints, and possibilities that await discovery.

~# sdptool browse 00:1D:A5:00:09:1D
Browsing 00:1D:A5:00:09:1D ...
Service Name: SPP
Service RecHandle: 0x10001
Service Class ID List:
"Serial Port" (ox1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1

In this context, the output provides additional insights into the realm of communications, unveiling the intricacies of protocols employed by the device. This newfound knowledge becomes pivotal as we navigate the landscape of potential vulnerabilities within the device. By scrutinizing the details, we might uncover vulnerabilities, ascertain the feasibility of direct communication, and even discern whether the device employs security measures such as MAC address randomization. This multifaceted exploration equips us with the information needed to make informed decisions and strategic moves in our Bluetooth reconnaissance endeavors.

Now that we’ve acquired the MAC addresses of the nearby devices, we can utilize l2ping to ping them, whether they are in discover mode or not, to assess their reachability. In my case, there’s just one device. Before proceeding, let’s explore the tool’s man page to understand all available options.

We don’t need to do anything fancy here, just ping the Bluetooth device as so:

~# l2ping 00:1D:A5:00:09:1D
Ping: 00:1D:A5:00:09:1D from ██:██:██:██:██:██ (data size 44) ...
44 bytes from 00:1D:A5:00:09:1D id 0 time 37.57ms
44 bytes from 00:1D:A5:00:09:1D id 1 time 27.23ms
44 bytes from 00:1D:A5:00:09:1D id 2 time 27.59ms
44 bytes from 00:1D:A5:00:09:1D id 3 time 27.31ms
44 bytes from 00:1D:A5:00:09:1D id 4 time 40.99ms
44 bytes from 00:1D:A5:00:09:1D id 5 time 48.77ms
44 bytes from 00:1D:A5:00:09:1D id 6 time 59.93ms
44 bytes from 00:1D:A5:00:09:1D id 7 time 48.84ms
44 bytes from 00:1D:A5:00:09:1D id 8 time 67.59ms

This indicates that the device is within range and reachable.

Now, let’s shift our focus to the final tool in our arsenal — a full-fledged graphical user interface designed for Bluetooth device discovery. It goes by the name btscanner. To initiate it, simply type btscanner. Before proceeding, let’s quickly review the man pages for this tool as well.

As you can observe, there isn’t much to btscanner in terms of command-line parameters. This is because btscanner is a graphical user interface (GUI) tool, and its functionality becomes evident once the tool is executed. Let’s go ahead and run btscanner to unveil its capabilities.

~# btscanner
Opening the OUI database
Reading the OUT database

