Saturday, 24 August 2013

Anonymize Bluetooth Devices On Linux Using hciconfig Utility

hciconfig bluetooth configuration spoofing
In Linux OS we can enumerate and configure bluetooth devices by using a built-in utility called hciconfig.

You can get complete manual of this utility by typing following command in terminal.

$man hciconfig

In this tutorial, i will mention only most important commands which are necessary from security's point of view.

Display Basic Info About Available Bluetooth Devices:

exploiter@exploiter:~$ hciconfig
 

Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address: E4:D5:3D:F2:7B:66  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:1105 acl:0 sco:0 events:38 errors:0
    TX bytes:2088 acl:0 sco:0 commands:38 errors:0

Output Explained:


In above command BD Adress field is important from information gathering prospective. This BD Address is used for scanning purposes using hcitool. Follow my upcoming tutorial on hcitool to get better understanding of BD Address usage. From this output, we can see that device is UP & RUNNING and PSCAN is enabled. Enabled PSCAN (Page Scan) means that bluetooth devices in our surrounding can do page scan and find our bluetooth device. RX and TX are bytes received and sent respectively from our bluetooth device hci0.

Display Info About A Specific Bluetooth Device:

exploiter@exploiter:~$ hciconfig -a hci0
 

Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:551 acl:0 sco:0 events:32 errors:0
    TX bytes:2070 acl:0 sco:0 commands:32 errors:0
    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
    Link policy: RSWITCH HOLD SNIFF PARK
    Link mode: SLAVE ACCEPT
    Name: 'ubuntu-0'
    Class: 0x6e0100
    Service Classes: Networking, Rendering, Capturing, Audio, Telephony
    Device Class: Computer, Uncategorized
    HCI Version: 3.0 (0x5)  Revision: 0x2f9
    LMP Version: 3.0 (0x5)  Subversion: 0x4203
    Manufacturer: Broadcom Corporation (15)

Output Explained:

 
hci0 is bluetooth device on our system. It may be anyone hci0,hci1 etc. If you don't mention hciX in following command then this command will print all info about all bluetooth devices available on system. Here in this output, name of bluetooth device is shown. As here our bluetooth device is using OS name as its own name. We will change this info so that some person might not enumerate any info about our bluetooth device. Class is a 24 bit or 6 hex number based identity for bluetooth devices. Class entity defines that bluetooth device is of which hardware class i.e 0x78020c is class of Phone/Smart phone,0x6e0100 is class of computer etc.
In this tutorial i will show you that how you can change you device name and class to fool other people or bluetooth scanner.


Display Features Of A Specific Bluetooth Device:

exploiter@exploiter:~$ hciconfig hci0 features

 
Output:


hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    Features page 0: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
        <3-slot packets> <5-slot packets> <encryption> <slot offset>
        <timing accuracy> <role switch> <hold mode> <sniff mode>
        <park state> <RSSI> <channel quality> <SCO link> <HV2 packets>
        <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme>
        <power control> <transparent SCO> <broadcast encrypt>
        <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan>
        <interlaced iscan> <interlaced pscan> <inquiry with RSSI>
        <extended SCO> <EV4 packets> <EV5 packets> <AFH cap. slave>
        <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL>
        <sniff subrating> <pause encryption> <AFH cap. master>
        <AFH class. master> <EDR eSCO 2 Mbps> <EDR eSCO 3 Mbps>
        <3-slot EDR eSCO> <extended inquiry> <simple pairing>
        <encapsulated PDU> <err. data report> <non-flush flag> <LSTO>
        <inquiry TX power> <EPC> <extended features>
    Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Output Explained:

 
In this output, all features supported by bluetooth device are shown.

Spoof Bluetooth Name And Class:

exploiter@exploiter:~$ sudo hciconfig hci0 name 'exploiter-z' class 0x78020c
exploiter@exploiter:~$ hciconfig -a hci0


Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:2505 acl:0 sco:0 events:60 errors:0
    TX bytes:3878 acl:0 sco:0 commands:57 errors:0
    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
    Link policy: RSWITCH HOLD SNIFF PARK
    Link mode: SLAVE ACCEPT
    Name: 'exploiter-z'
    Class: 0x78020c
    Service Classes: Capturing, Object Transfer, Audio, Telephony
    Device Class: Phone, Smart phone
    HCI Version: 3.0 (0x5)  Revision: 0x2f9
    LMP Version: 3.0 (0x5)  Subversion: 0x4203
    Manufacturer: Broadcom Corporation (15)

Output Explained:

You can see in out put that our name and hardware class of our bluetooth device is spoofed. Now scanner will consider us a smart phone device.

Disable PSCAN AND ISCAN To Make Yourself Invisible To Bluetooth Devices:

exploiter@exploiter:~$ sudo hciconfig hci0 noscan
exploiter@exploiter:~$ hciconfig

 

Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING
    RX bytes:2788 acl:0 sco:0 events:64 errors:0
    TX bytes:3891 acl:0 sco:0 commands:61 errors:0

Output Explained:


In our first command, we given a noscan parameter for hci0 device. Now check hci0 configuration, you can see device is up and running but there is no enabled PSCAN. Now you are invisible to bluetooth devices.

UP, DOWN or RESET A Bluetooth Device:

exploiter@exploiter:~$ sudo hciconfig hci0 reset
exploiter@exploiter:~$ hciconfig hci0 -a


Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address: XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:3401 acl:0 sco:0 events:101 errors:0
    TX bytes:4535 acl:0 sco:0 commands:98 errors:0
    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
    Link policy: RSWITCH HOLD SNIFF PARK
    Link mode: SLAVE ACCEPT
    Name: 'exploiter-z'
    Class: 0x6e0100
    Service Classes: Networking, Rendering, Capturing, Audio, Telephony
    Device Class: Computer, Uncategorized
    HCI Version: 3.0 (0x5)  Revision: 0x2f9
    LMP Version: 3.0 (0x5)  Subversion: 0x4203
    Manufacturer: Broadcom Corporation (15)

Output Explained:
 

You can see our device hardware class is back to computer from phone, smart phone and UP RUNNING PSCAN are back too. Our device has been reset.
Similarly up or down can be used instead of reset to make device up or down.


Blacklist BDAddress(MAC) Of A Device:

exploiter@exploiter:~$sudo hciconfig hci0 block XX:XX:XX:XX:XX:XX

Now that device having BDAddress/MAC address of XX:XX:XX:XX:XX will be blocked for hci0. To unblock this device, simply replace block with unblock.

Demo Image:
bluetooth configuration spoofed