Bluetooth symbol with program code

Bluetooth Security Forensics 2.0

Bluetooth Recon Phase

The Bluetooth team has been using Pwnie Express’s BlueHydra and Econocom Digital Security’s Btlejuice to gather information about the various devices we will be working with throughout the semester. The team collectively decided it was imperative to understand how these tools gather the data they report before we can begin searching for and exploiting vulnerabilities. Therefore, we set out on the first tangible part of our research: the recon phase. In order to obtain consistent results, we compiled a list of devices like tablets, fitness wristwatches, keyboards, and speakers. Using BlueHydra, we recorded relevant information about each device such as how they were discovered, their MAC addresses, and the version of Bluetooth they’re running. With the working list of Bluetooth devices, we have begun to analyze the data.

Analysis

Starting with BlueHydra, we examined which devices it could discover automatically and how we could manipulate them to show up when it is scanning for Bluetooth signals. After some trial and error, we began seeing patterns in how certain devices were showing up. In an effort to understand how the program is designed to work, we delved into the code itself and searched for how we can better use BlueHydra to gather even more information. One recurring issue we have encountered, is having BlueHydra report the range of discovered devices. The code references iBeacon devices are required to determine range. However, when we used devices we know use iBeacon, we still could not get BlueHydra to report range. We are currently looking into ways to force BlueHydra to recognize the iBeacon and report the range.

The team has also begun exploring Btlejuice and its functionality but during this recon phase we are seeking information gathering rather than exploitation, which is what Btlejuice is designed for.

CONCLUSION

We are well underway in our efforts to answer our research questions and are excited to share all our findings with you as we progress. By gathering as much information as possible about our devices and the tools in this ‘recon phase’, we will have a much better understanding when it comes time to discover and utilize vulnerabilities. We anticipate that the information we gathered will allow us to further identify holes in the Bluetooth protocol that we can exploit. The recon phase is integral to the success of this project as it provides the groundwork upon which the vulnerability assessments and exploitations will be built around in the coming weeks.
Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu. Also don’t forget to read our Blogs!