Open in app

Sign in

Write

Sign in

Bluetooth Hacking: A Guide for Cyber Security Enthusiasts #1

Sethu Satheesh
10 min readMar 30, 2024

--

Hey guys, my name is Sethu Satheesh, a cyber security researcher and a software engineer. In this write up we are going to dive into the concepts of bluetooth hacking, so let’s start it from the first basics and go to the advances exploits. For interesting contents like this do follow me and follow me on instagram @whxitte.

#Bluetooth Hacking — part 1

Bluetooth is a wireless communication protocol that allows devices to connect and exchange data over short distances. It is widely used for various purposes, such as connecting headphones, speakers, keyboards, mice, smartwatches, and other peripherals to smartphones, laptops, tablets, and other devices.

However, Bluetooth also poses potential security risks that can be exploited by hackers to gain unauthorized access to devices or data.

Bluetooth enabled shipments are increasing day by day. So the market of Bluetooth is never decreasing.

Bluetooth market

Bluetooth operates on a frequency hopping spread spectrum (FHSS) technique, as compare it with Wi-Fi’s channel-based approach. While Wi-Fi devices typically remain fixed on a specific channel once transmission begins, Bluetooth dynamically utilizes its entire frequency band, hopping through 79 channels at a rapid pace of 1600 hops per second. This dynamic hopping enhances reliability by minimizing interference but as from our hacker’s it also poses challenges for unauthorized sniffing attempts. Unlike Wi-Fi signals that remain predictable on a single channel, Bluetooth’s agile frequency hopping pattern requires sophisticated synchronization methods and equipment for successful interception and analysis, we will explore this in detail later.

Bluetooth Versions:

  1. Classic Bluetooth:

Classic Bluetooth, designated for data-intensive tasks such as audio streaming, file transfers, and direct device communication, operates within the 2.4 GHz frequency spectrum, the same band shared by common Wi-Fi networks and household microwave ovens. This iteration of Bluetooth boasts a maximum data throughput ranging from 1 to 3 Mbps, although newer versions can support higher speeds. Classic Bluetooth utilizes a frequency-hopping mechanism across 80 channels, contributing to its robustness against interference and coexistence with other wireless technologies. However, due to its higher power consumption compared to Bluetooth Low Energy (BLE), Classic Bluetooth is more suitable for applications where data throughput and continuous connectivity take precedence over energy efficiency.

Used for data-intensive applications like audio streaming, file transfer, and device-to-device communication.

2. Bluetooth Low Energy (BLE):

Bluetooth Low Energy (BLE) stands out as a revolutionary technology tailored for low-power applications and IoT devices with stringent energy requirements. Offering significantly reduced power consumption compared to Classic Bluetooth, BLE facilitates intermittent data transfer while ensuring extended battery life. With data transfer rates ranging from 125 kbps to a maximum of 2 Mbps, BLE caters to diverse application needs, from simple sensor data collection to more data-intensive tasks like firmware updates or audio streaming. Its advanced features, including efficient advertising and scanning mechanisms, optimized connection intervals, and power-saving sleep modes, make BLE an ideal choice for wearable technology, smart home devices, healthcare monitors, and various IoT implementations.

Classic Bluetooth Protocol Stack:

  1. Physical Layer:
  • Responsible for radio transmission using the 2.4 GHz ISM band.
  • Supports multiple data rates depending on the Bluetooth version (e.g., 1, 2, or 3 Mbps).

2. Link Layer:

  • Manages device discovery, connection setup, and packet formatting.
  • Implements error detection and correction mechanisms.

3. Logical Link Control and Adaptation Protocol (L2CAP):

  • Handles multiplexing data streams, segmentation, reassembly of packets, and QoS negotiations.
  • Essential for supporting higher-level protocols and services.

4 . RFCOMM:

  • Emulates serial port connections over Bluetooth.
  • Enables the transmission of serial data between devices, ensuring compatibility with legacy applications.

5. Application Profiles:

  • Define specific functionalities and data formats for different use cases.
  • Examples include the Hands-Free Profile (HFP), Audio/Video Remote Control Profile (AVRCP), and Serial Port Profile (SPP).

Bluetooth Low Energy (BLE) Protocol Stack:

  1. Physical Layer:
  • Similar to Classic Bluetooth, responsible for radio transmission but optimized for low-power consumption.

2. Link Layer:

  • Handles device discovery, connection establishment, and efficient data packet formats for low-energy communication.

3. Logical Link Control and Adaptation Protocol (L2CAP):

  • Functions similarly to Classic Bluetooth but with optimizations for BLE’s low-power characteristics.

4. Generic Attribute Profile (GATT):

  • A key addition to the BLE protocol stack, defining the structure and behavior of data exchanged between BLE devices.
  • Based on a client-server model with attributes and services for data exchange.

5. Attribute Protocol (ATT):

  • Works in conjunction with GATT to define how data is organized and accessed in BLE devices.
  • Supports efficient data exchange for IoT and sensor-based applications.

6. Application Profiles:

  • Include standard BLE profiles such as the Generic Access Profile (GAP), Generic Attribute Profile (GATT), and specific application profiles like Heart Rate Profile (HRP) and Proximity Profile (PXP).

Device discovery and connection establishment for Bluetooth Low Energy (BLE) and Classic Bluetooth

Bluetooth Low Energy (BLE) Process:

  1. Advertisement:
  • Peripheral devices (e.g., IoT sensors, smart devices) broadcast advertisement packets on three advertising channels (37, 38, 39) within the 2.4 GHz ISM band.
  • Advertisement packets contain information such as device name, services offered, unique identifiers (UUIDs), and possibly additional data.

2. Scanning:

  • Central devices (e.g., smartphones, tablets) perform scanning on the advertising channels to discover nearby BLE peripherals.
  • During scanning, the central device listens for advertisement packets and collects information about available devices, including RSSI (Received Signal Strength Indication) to estimate proximity.

3. Connection Establishment:

  • Once the central device identifies a peripheral it wishes to connect to, it sends a connection request to the peripheral.
  • The connection establishment process includes negotiating connection parameters such as connection interval, slave latency, supervision timeout, and initiating the security setup (if required).
  • Upon successful negotiation and confirmation, the central and peripheral devices establish a connection using the Bluetooth Low Energy protocol stack.
  • The connection allows bidirectional data exchange between the central and peripheral devices, facilitating communication for various applications such as sensor data collection, remote control, and monitoring.

Classic Bluetooth Process:

  1. Inquiry and Inquiry Scan:
  • Devices interested in discovering other Bluetooth devices initiate an inquiry process to search for nearby devices.
  • During the inquiry process, devices transmit inquiry packets on the inquiry scan channels (typically 32 channels within the 2.4 GHz band) to discover discoverable devices.
  • Discoverable devices respond with inquiry response packets, providing information about their capabilities and services.

2. Pairing and Connection:

  • Once devices are discovered through inquiry, they enter a pairing process to establish a secure and authenticated connection.
  • Pairing involves exchanging pairing information, such as PIN codes or passkeys, to authenticate and encrypt the communication channel.
  • After successful pairing, devices establish a connection using the Bluetooth protocol stack, enabling data exchange for applications like audio streaming, file transfer, and device control.

In summary, BLE uses advertisement packets and scanning on advertising channels for device discovery, while Classic Bluetooth employs an inquiry process and pairing for connection establishment. Both protocols have specific procedures tailored to their respective communication requirements and use cases.

BLE device details from it’s advertisement (scanned with nrf connect app)
Connected device showing specific services it provide (heart rate, battery services etc..)

Bluetooth Encryption and Pairing:

When a central device, such as a mobile phone, wants to connect to a peripheral device in Bluetooth Low Energy (BLE), it begins by scanning the three advertising channels to discover available devices. Once a connection is established between the central and peripheral devices, data exchange can occur using what are known as characteristics in Bluetooth. These characteristics act as APIs, each with a unique UUID and various sets of permissions, such as read, write, and notify.

Notably, encryption and pairing in Bluetooth are closely related. Pairing initiates a key exchange between devices, establishing a secure connection.

In BLE, two pairing methods exist: Legacy pairing and Secure pairing.

Legacy pairing uses a custom key exchange protocol, which is vulnerable to attacks and can be cracked in seconds.(- Can be cracked in ~1 second by passive monitoring — https://github.com/mikeryan/crackle/) However, with Bluetooth 4.2 and newer versions, Secure pairing was introduced, employing an elliptic curve Diffie-Hellman-based key exchange protocol. This secure method significantly enhances security and mitigates many potential attacks, although an active man-in-the-middle attack remains theoretically possible during the initial pairing phase.

It’s essential to note that Bluetooth Low Energy communications are not inherently encrypted or authenticated by default. This means that while devices can connect without encryption, data may still be secured through custom encryption applied by applications before transmission.

More about Frequency Hopping Spread Spectrum (FHSS)

Frequency Hopping Spread Spectrum (FHSS) is a technique used in Bluetooth and other wireless communication systems to enhance reliability and reduce interference. In FHSS, the available frequency band is divided into multiple channels, and the transmitter rapidly switches between these channels in a predetermined pattern known as hopping. This hopping pattern is synchronized between the transmitter and receiver, allowing them to hop to the same channel at the same time.

One of the key advantages of FHSS is its robustness against interference and noise. By hopping across different channels, FHSS can avoid continuous interference on a single channel, leading to more reliable and stable communication. Additionally, FHSS provides some level of security as it makes it difficult for unauthorized users to intercept or jam the signal effectively.

However, FHSS also presents challenges for hackers attempting unauthorized access or sniffing. Since the hopping pattern is predetermined and synchronized between devices, hackers need sophisticated equipment and techniques to accurately capture and decipher the hopping sequence. This adds a layer of complexity and difficulty for unauthorized parties trying to intercept Bluetooth communications using FHSS.

Bluetooth Evolution

Moving on to Bluetooth versions, the technology has evolved significantly from its early versions to the latest iterations like Bluetooth 5.0 and Bluetooth 5.1. These newer versions have introduced several security enhancements to address vulnerabilities and improve overall security.

Bluetooth 5.0, for example, introduced the LE Secure Connections feature, which enhances pairing security by using stronger cryptographic algorithms and key exchange methods. It also introduced the LE Privacy feature, which helps prevent tracking and eavesdropping by randomizing device addresses during advertising.

Similarly, Bluetooth 5.1 introduced the Direction Finding feature, which enables more precise location tracking and enhances security in environments where location-based services are crucial. These advancements highlight the ongoing efforts in Bluetooth development to enhance security and privacy across different versions.

More about Bluetooth protocol stack

When it comes to the Bluetooth protocol stack, each layer plays a vital role in ensuring secure and reliable communication. The protocol stack typically includes layers such as the Physical Layer, Link Layer, Logical Link Control and Adaptation Protocol (L2CAP), RFCOMM, and application profiles.

At the Physical Layer, encryption and frequency hopping are implemented to secure data transmission and reduce interference. The Link Layer handles device discovery, connection establishment, and security negotiations, including authentication and encryption key exchange.

L2CAP, RFCOMM, and application profiles build on these lower layers to provide higher-level functionalities while ensuring data integrity, confidentiality, and authentication. Encryption algorithms like AES (Advanced Encryption Standard) are commonly used in Bluetooth for secure data transmission, and authentication protocols like Secure Simple Pairing (SSP) and Secure Connections enhance pairing security.

Overall, the Bluetooth protocol stack integrates various security features at different layers to protect against potential threats and ensure secure communication between Bluetooth-enabled devices.

Device Discovery and Connection Establishment in detail

In Classic Bluetooth, the device discovery process involves an inquiry phase where devices actively search for nearby Bluetooth-enabled devices. During inquiry, devices transmit inquiry packets on specific inquiry scan channels to discover discoverable devices in the vicinity. Discoverable devices respond with inquiry response packets containing information about their capabilities and services. Once devices are discovered, they enter a pairing process to establish a secure and authenticated connection. Pairing involves exchanging pairing information, such as PIN codes or passkeys, to authenticate and encrypt the communication channel. After successful pairing, devices establish a connection using the Bluetooth protocol stack, enabling data exchange for applications like audio streaming, file transfer, and device control.

In Bluetooth Low Energy (BLE), the device discovery process differs slightly. BLE devices use advertisement packets to broadcast their presence on three advertising channels within the 2.4 GHz ISM band. Central devices, such as smartphones or tablets, perform scanning on these advertising channels to discover nearby BLE peripherals. Upon discovering a desired peripheral, the central device initiates a connection request, leading to connection establishment using the BLE protocol stack. During connection setup, devices negotiate connection parameters and security settings, such as encryption and authentication, to ensure a secure communication channel.

Secure pairing methods and encryption protocols play a crucial role in preventing unauthorized access during the device discovery and connection establishment process. Secure pairing mechanisms, such as Secure Simple Pairing (SSP) in Classic Bluetooth and Secure Connections in BLE, use stronger cryptographic algorithms and key exchange protocols to authenticate devices and establish secure connections. Encryption protocols like AES (Advanced Encryption Standard) are employed to encrypt data exchanged between paired devices, protecting it from unauthorized interception or tampering.

Bluetooth Encryption and Pairing in detail

A real-world example showcasing the vulnerabilities of Legacy pairing in BLE is the crackle tool (https://github.com/mikeryan/crackle/), which can crack Legacy pairing keys in approximately one second through passive monitoring. Legacy pairing uses a custom key exchange protocol that is susceptible to passive eavesdropping attacks, compromising the security of BLE connections. However, with the introduction of Secure pairing in newer Bluetooth versions (e.g., Bluetooth 4.2 and above), vulnerabilities associated with Legacy pairing are significantly mitigated.

Secure pairing protocols, such as Secure Connections in Bluetooth 4.2+, employ robust key exchange mechanisms like elliptic curve Diffie-Hellman (ECDH) to establish secure connections between devices. These secure methods enhance security and protect against passive monitoring attacks by ensuring that pairing keys are not easily compromised.

Additionally, active man-in-the-middle attacks pose a significant threat to Bluetooth connections, particularly during the initial pairing phase. An attacker can intercept communication between devices, modify data, or impersonate legitimate devices to gain unauthorized access. Secure pairing protocols, combined with encryption mechanisms, help mitigate the risks associated with man-in-the-middle attacks by establishing secure and authenticated connections that are resistant to tampering or interception.

In this comprehensive guide to Bluetooth technology and security, we have explored the fundamentals of Bluetooth communication protocols, including Classic Bluetooth and Bluetooth Low Energy (BLE). We discussed the Bluetooth protocol stacks, device discovery processes, connection establishment procedures, and encryption and pairing methods used in Bluetooth-enabled devices.

The 2nd part will come soon, in that we will enter into the actual world of Bluetooth hacking and exploiting !

Thank you and happy h4cking :)

Follow here for more intresting contents and follow me on instagram @whxitte

~ By Sethu Satheesh

Bluetooth Hacking
Bluetooth Low Energy
Hacking
Cybersecurity
Ethical Hacking

--

--

Sethu Satheesh

Written by Sethu Satheesh

63 Followers

Cyber security researcher | Software engineer | own: whxite lab

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams