LCDI Leahy Center for Digital Investigation Bluetooth logo and Champlain College logo dark blue background

Bluetooth Vulnerability Assessment 2.0

Bluetooth Vulnerability Assessment 2.0

The Bluetooth Team has been hard at work using the tools previously gathered to assess – and exploit – vulnerabilities in the wireless connectivity protocol. With Pwnie Express’s BlueHydra and Econocom Digital Security’s Btlejuice installed on each of the two team’s  respective laptop, we have begun our analysis of current Bluetooth vulnerabilities and how hard it actually is to exploit them.

Analysis

As stated on our previous blog post, Bluetooth makes wireless connections faster and easier to establish by transferring data between two devices using radio waves. The devices use what is called a GATT (Generic Attribute) to define how Bluetooth Low Energy devices communicate. A GATT contains a service which consists of characteristics which are used to perform its functionalities. Because of this, the Btlejuice Team was able to use Btlejuice to mimic our target by waiting for the user to communicate to our target and copy the GATTs sent to it by the user. We were then able to replay or modify the GATTs and send that to our target to communicate what we want it to do.

Process

Since our last blog post, the Btlejuice Team successfully launched Btlejuice on the Schlage Sense Smart Deadbolt and were able to unlock it remotely from our laptop. After successfully unlocking the smart lock, the team noticed a few issues with the Schlage Sense smartphone application: it no longer shows our lock as visible but is still connecting to it through Bluetooth. We are currently in the process of investigating why this happened and hope to have the issue solved to further test Btlejuice’s capabilities with replay attacks on the smart lock. We will provide an update of this issue on our next blog post.

The BlueHydra Team is currently in the process of configuring an Ubertooth One Dongle (an opensource Bluetooth monitoring tool) for better use with the BlueHydra program. Once configuration is complete and extensive testing completed, the team hopes to find a way to use BlueHydra for Bluetooth device monitoring around a given area. This would include setting up monitoring stations and feeding information back to a centralized unit which will display what Bluetooth-enabled devices are in the area. More information about this to come on our next blog post.

Conclusion

Bluetooth security is continuously being overlooked so we hope to bring awareness to this protocol through our proof-of-concept tests. With BlueHydra and Btlejuice installed on their respective laptops, the Bluetooth Team hopes to continue their research on vulnerabilities that currently exist in the Bluetooth Protocol.

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu. Also don’t forget to check out our Blogs!