Bluetooth technology is often overlooked by security experts and bug hunters compared to other protocols. The highly selective and fragmented nature of Bluetooth-based devices means that some may never issue secure updates.
It will take weeks or months for some product manufacturers to apply updates to the software code, while others may never release security updates.
For this reason, there can be a large number of vulnerabilities in Bluetooth, where BlueBorne can only be the tip of the iceberg.
In the third part of the series Bluetooth Hacking, we will see how we can access victim's device with BlueBorne app.
Let's start!
The first step of course is to have an unpatched device. I will be using an older LG phone that I have in my lab just for this purpose.
Of course, you will need a BlueTooth adapter to communicate with your target. There are several BlueTooth adapters that are compatible with Linux, but I will use one from Pluggable which is Plug-n-Play compatible with our Kali Linux operating system.
Next, we need to install the dependencies on our Kali.
kali > apt-get install bluetooth libbluetooth-dev
kali > pip install pybluez
kali > pip install pwntools
Although Armis developed these exploits, it has not made them public. Fortunately, a security researcher developed a python script based on Armis's. You can find it on github.com. Just download it to your system as we will see below.
kali > git clone https://github.com/ojasookert/CVE-2017-0785
After you download it, you'll see a new directory created, CVE-2017-0785.
You will see a README.md file and the python script CVE-2017-0785.py. Of course we are interested in the second one and we will run it.
kali > cd CVE-2017-0785
kali > chmod 755 CVE-2017-0785.py
Now that we have our dependencies and installed the Python script successfully, all that's left is to get the MAC address of our target, as I showed in BlueTooth Hacking, Part 2, we can scan for BlueTooth devices with hcitool.
kali > hcitool scan
This utility will search for all available BlueTooth devices within range.
Now, we have everything we need to exploit the BlueTooth device and extract the files from its memory. To run the exploit, we simply type python, the name of the script and TARGET= followed by the mac address of our target.
kali > python CVE-2017-785.py TARGET=
Our program exploited the target and got the first 30 bytes from memory! Of course, we can edit the script to get even more memory than our target.
somewhere here we reached the end of the third part. Stay tuned as the fourth and final part of our BlueTooth Hacking guide series is coming soon.
nice job