Android Bluetooth Hacking

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I'm going to show you how to hack an Android phone using a zeroc click Bluetooth vulnerability in this example I've got a rry pi 5 running Ki Linux I've Simply Connected the monitor to the laptop so we can see on screen what's happening on the rry pi okay so on the rby pi I'm going to use the command Python 3 blue ducky py that's the python script that allows us to attack the phone we asked to enter the MAC address I'm going to press enter so that the MAC address can be scanned previous Mac addresses that were discovered are stored in a file so we can either go and ReDiscover devices or use a device that was previously discovered in this example I'm going to attack device 4 a 1plus 7t so I'm going to say yes and the device that I want to attack is number four now we asked is this the MAC address that we want to attack and the answer is yes now various scripts could be used in this example I'm going to select two which is payload example 4 and notice what happens on the phone can commands are now being sent to that phone and what you'll notice is that I've been able to Rick Roll You by sending commands to the phone through Bluetooth from the Rasberry Pi this is a HID type attack where we are sending keystrokes to the phone through Bluetooth as if we had a keyboard connected to the phone this attack cannot be stopped on older Android devices so if you have an Android 10 device or earlier you can't stop this type of attack if you've got an Android 11 device you can use a security patch to stop this or you need a later version of Android so a modern device using Android 14 as an example will not be susceptible to this attack however there are many devices out there running older versions of Android not everyone has the latest and greatest phone so people with older devices can't stop this attack I'll list the cve below this video in more details but I actually interviewed occupy the web about this attack and he explained more information about it how to install the software to set this up and how to get it running it's a very simple attack in this example I'm using an Asus Bluetooth adapter which I'll link below for this attack other people have used the built-in Bluetooth adapter in a Raspberry Pi 4 didn't work for me for a Raspberry Pi 5 but there are various adapters available out there that you could test this attack against now as always do not attack devices that you don't own or have permission to attack in this example this is my Android phone this is my rby Pi 5 I have given myself permission to attack my own device to show you the issues with older versions of Android unfortunately in life today you need to update your devices when security vulnerabilities are discovered like this you need to upgrade your version of Android all the Android devices cannot be updated unfortunately which means that if you are concerned about this problem you need to buy a new device or turn off Bluetooth on your device whenever possible okay so without further Ado let's talk to occupy the web and he can explain more details about this attack I really want to thank brilliant for sponsoring this video do you know how technology works as an example how strong passwords work should you be using a alpha numeric password or just passwords with digits in them or passwords with alpha numeric plus special characters but do you actually know why and do you know what a difference it makes when you change your password length as an example brilliant has this interactive course that shows you how strong passwords work also has other fantastic courses here like teaching you how Wireless communication works or how a GPS works or how recommendation engines work now you can get access to all the courses on brilliant website for free for 30 days using my link below brilliant.org davit Bumble you'll also get 20% off an annual premium subscription I really believe that education changes lives and I want to thank brilliant for putting together such fantastic courses but also for supporting my Channel today we're going to work on a a recent vulnerability in the Bluetooth stack that allows an outsider to be able to uh inject commands into Bluetooth all right so inject commands through Bluetooth into the system and this particular vulnerability uh let's see there's actually like four vulnerabilities that came out in December so they're pretty recent they're only a few months old it's a cve 2023 four five8 six and that's the uh that's the the basic cve it actually applies to any Bluetooth device the scripts to be able to inject commands are slightly different so we're going to be working with the Android one which I think might be the most most interesting one because despite what people might think Android makes up about 80% of all of the mobile devices on the planet you know I often hear people say oh you know it's like half apple and half Android like if you live in the US yeah yeah if you're in the US Maybe maybe in the US and maybe in other other uh industrialized nations but in the world most phones are Android so let's focus on most devices which are Android devices and you there's lots of other flaws that we can address in the iPhone but this one we're going to talk about in Android and this one allows us to go in it's a zero click attack zero click attack against Bluetooth now now Bluetooth has a range of so usually about 100 meters okay so you can connect to devices within 100 meters but it is possible with proper antennas and a repeater that you can people have gotten Bluetooth to extend as much as a kilometer right so that's you know in in English terms what's that 610 of a mile right so it's a it's a good it's a good distance if you wanted to attack these systems but generally it's going to be 100 meters which means your office your home your school okay maybe your neighborhood your neighbors that's about as far as you can go it's interesting that after well maybe I should leave this to later but one of the things that many years ago I guess it's maybe 10 12 years ago I had a company in Las Vegas come to me and they said what we'd like you to do is we'd like you to send an advertisement to everybody's phone who passes this corner through their Bluetooth device through their phones and if you've ever been to Las Vegas and I know you have right there's thousands of people walking down the street right and as you walk down the street there there's people trying to bring you into a hotel or a bar strip club or whatever it happens to be right and so this company approached me and said what we want you to do is to send an ad to everybody's phone so to bring him into our place and I I told him no but I after I was working with this particular exploit this would have been perfect for that because what we can do is we can send that phone to their website we can set inject commands into their phone to open up the website of whoever you want to sell the product too so let's let's kind of keep that in mind and uh you know it's it can be done it can be used for advertisement it can be done maliciously lots of things that it can be done done for could you download mway So by sending them to website get them get something downloaded to the phone well what you can do is you can you can send them to a website right and then of course once they're in a website okay then you can go ahead and have them click on a link what have you but you can you can only send the URL to their phone you can't necessarily inject but you can inject commands into the phone you know like if you really wanted to be malicious you could inject you know an RM D RF right into the phone and and wipe everything out on the entire phone right this would be this would be very malicious right so all of a sudden people open up their phone and it's some brick but what we're going to do today is we're going to just send send them to a website you know that everybody wants to go to and that's hackers arise well done so so we're not doing anything malicious we're actually doing something really beneficial for them we're taking that we're taking to the site that everybody should be at right I love uh so let's let's get started with this then and and it's it's a take a few steps right uh but one of the things that you got to keep in mind right is that Bluetooth has been around for I guess now 25 years I think it came out in 1999 and it's a it's a a protocol that's designed to basically connect you know what's often referred to as a picon net or a a small Network okay very small Network 100 meters is is pretty big Pico and and the uh specification say that it has to reach at least 10 meters but most people most developers will build in greater range than that just because you know they want it to be able to connect easily so let's go ahead and let's uh let's do a few downloads and one of the the key downloads is there's a a library in that's available to us in it's up GitHub it's called Blue easy because that's the first thing we need to do is get this Gose sudo at to do any kind of Bluetooth hacking that you really need this Library okay of Bluetooth tools and it's called Blue EZ those people who've you know taken my classes or read some of my books will see that I've used this in the past but you know people underappreciate how important Bluetooth is and what a important Vector it might be into the mobile device right I mean there's a lot of there's a lot of attention given to things like Pegasus you um which is you know it's it's a zero click um exploit to iPhones and other phones okay but primarily for iPhones and that's a you know it's a very highlevel exploit this Bluetooth exploits are generally pretty simple and uh and and easy to implement all right so and everybody has Bluetooth on their phones their devices or speakers or TVs you know your cars all right so y you probably you probably connect your your Bluetooth in your car this Bluetooth is everywhere so it's one that I think needs to be given additional attention so we're going to go to GitHub all right I have all of these tools already installed so but I'm just want to give the the viewers the uh the URLs Pi blue EZ okay so there it says it's already exists I've already installed it okay so once we have this installed this has a lot of tools that we need to do reconnaissance and and other things on Bluetooth so if you're go ahead and downloader you just got to go CD to Pi let's make sure that so you can see it's right here here's the directory that it's created so we're want to go there all right Pi blue easy let let's take a look inside there and there's a bunch of tools in here and there's there's really a lot we're just going to scratch the surface of what you can do with this particular tool but then you need to go ahead and do the python pseudo python three setup you can see the setup right here yeah all right setup uh pi install right and then we'll go ahead and go through the installation script all right good all right so then once we have this there's a a number of tools that are built into here all right and one of them probably one of the most important ones is HCI or HCI config similar to in I'm going to go ahead and clear my screen we all know that if config right in Linux or ip config Windows right gives us shows us all of the interfaces there's also a a similar tool in blue EZ that shows us all of the interfaces and enables and disables the interfaces and it's called HCI config and so what we need to do first is that we need to go ahead and enable the Bluetooth device I've got an external this is not using my uh the native Bluetooth and I've purchased an external Bluetooth device and this is a virtual machine so what I'm going to do here is I'm first of all I'm going to take it up I'm going to enable it all right that's terminology go HCI config all right and it's very similar to like in Linux where you go if config eth0 up okay or IP up eth0 up let's go and go uh HCI I'm assuming that's my the name of my device HCI so it's either HCI 1 hci0 HCI 2 okay looks like it's up what's the device that you're using then it's a external Bluetooth adapter is it a spefic can you give us the brand or the specific one uh I think this one's Panda all right but the the key is the the chipset Cambridge silicon radio I found that these chip these chipsets work best for this type of work and then if I go lsusb okay I can see it right here it's a Bluetooth dle in HCI mode then what I can do is if I want to go ahead and search for instance for all of the Bluetooth devices in my range okay what I can do is is part of this Suite of tools I can go use pseudo there's a tool called HCI tool and it's scan so let's see if we this will allow me to see which Bluetooth devices are within range and a and are accessible to me it's kind of like doing maybe a ping scan or an end map scan where you're going out to see what what devices are out there and which ones are available to you this uh we'll go ahead and run this and see which ones are we probably should probably pick up some of my neighbors machines as well let's see here they come oh okay looks like oh we got a Galaxy Note 10 there we got a speaker system we got looks like a TV looks like my neighbor's TV let's try it again and see if we can pick up any more notice that these are Mac addresses of those devices and that's really what we need to be able remember Mac addresses are globally unique oh only picked up two this time the Galaxy Note is not some one of the things that you'll find is that if you run this tool you know it'll pick up some sometimes and not at others so but all you need to know is the MAC address okay so even if it doesn't pick it up if you got the MAC address you're good looks like we have the MAC address of a few devices here is there a specific phone that you're looking to attack or specific device this this one right here this is a Galaxy Note 10 it's pretty new yeah I'm just kind of yeah taken it out yeah I've got oh we have four of them this time see so one of the once again we we this is how we find the Bluetooth devices that are out there we can get a lot more information about the device okay by taking the MAC address okay and then going ahead and putting it into to a tool called sdp I'm going to use pseudo sdp Tool uh browse I think a lot of folks don't recognize that there's a lot of differences between Bluetooth devices and we can pick up a lot of that information so what we've done is we've gone into the device to find out all its capabilities this is part if you're if you're trying to hack a system the more you know about it the better and one of the things that maybe not that well known but but you and I did talked about a little bit in an earlier uh video is that one of the classes of Bluetooth devices is a human interface device a h yeah okay so human interface device is a Bluetooth keyboard or Bluetooth mouse so if I can connect to your Bluetooth device okay if I can connect to your Bluetooth device and present myself as a keyboard then I can inject commands and that's essentially what this particular tool does it allows you to authenticate against the Bluetooth and then once you've authenticated inject commands into it so this kind of kind of basic Bluetooth you know reconnaissance that we're done this far you can learn a lot about this is an Android network access point right there okay tells us a lot about what it's what it is this is a a Android Note 10 so it's a pretty new it's not latest greatest but it's it's it's pretty new and it's unpatched so we got a few more things that's kind of basic Bluetooth reconnaissance okay this that would be the first thing you need to do before you you go any further I'm going to clear my screen and we're going to install a few more tools all right here's a bunch of the dependencies that you need I'm put them on the screen so often times when we're using a new tool we have to go ahead and and get all of the libraries that are necessary that's what these are these are just libraries that are necessary for the our tool to work all right you see it's already the latest already the latest already installed all right then we have to go and do a couple more things and then we can get started here first of all we're going to go have to go ahead and couple more commands before we can actually get our tool to work this is uh going ahead and installing this case it's going to be the addr BD Bluetooth addr blue EZ all right let's go ahead and hit that it already exists it's not an empty directory it tells us and then we're going to have to go ahead and compile that for on our on our machine so we're going to use GCC to compile I'm just going to copy and paste and compile it and then we're going to go ahead and copy okay pseudo CP copy b d a d d are to where else but user local bin why user local bin because that is in the path directory that means that we can then use it from any place on our system all right because it's going to be in the path if you don't understand paths go ahead and I think it's chapter eight in Linux basics for hackers take a look at that and then last step okay before we get started is to go ahead and install a tool called Blue ducky blue ducky is simply an implement mentation of a a proof of concept that was developed and they just put it into a nice easy to use Python script that we can attack these systems and there it is right there blue ducky a group called pentest functions let's go ahead and hit enter and we're good now let's go ahead and go CD into blue ducky yeah and take a look inside there okay and there there's our blue ducky right there there's some payloads in here payloads are what you can go ahead and inject into this into the system now one of the things that I found in using this is that depending upon what your Bluetooth adapter's name is Right remember it's mine is HC i0 or HCI 1 a lot of times it'll mine will come up as HCI 1 this particular tool is designed to use hci0 okay so if you want if you wanted to change it I'll show you how to do that the first time I used it I had to do this and now that I might have to change this one back okay but let's go ahead and pseudo okay mouse pad and then we'll go Blue ducky I'm just going ahead and opening it up in a text editor blue ducky py all right here's here is the script if we scroll down a little bit it's like 700 lines or something like that the script so it's a pretty sophisticated script uh let's see it's right okay here's the payloads and there it is right there it defaults to hci0 so if you've installed your Bluetooth adapter and it comes up as HCI ones which mine did initially then you're going to have to change this to HCI one it's not a big deal but you can just go ahead and change it to one save it you're going to have to open it up as as root using pseudo and once You' done that then it'll then use whatever adapter that you want to use all right so that's done you changed it right I did not change it I left it at mine is this time this time on this machine right I think the first time I I I I did it on another machine and it went to my adapter was recognized as HCI 1 so that's why I put that in there because I know that on one of my machines it came up as HCI one uh usually the very first device should come up as hci0 and second one HCI 1 and it might have been I don't remember but it might have been that I had another Bluetooth device in there yeah all right and so the second one's going to be hc1 let's go ahead and you can see that we don't have permissions here okay BL epy let's go ahead and give ourselves permissions to use it and let's see we go I'm going to go 755 that's kind of my standard all right and so now it should it should look good all right yeah all right now let's go pseudo all right and python three blue ducky I think the name is a play on Bluetooth and uh rubber ducky rubber ducky right so it's kind of like a a rubber ducky but it's it's remote and it's zero click right so let's go ahead and run it there it is says what is the target address okay leave blank we'll scan for you so if we don't if we don't know the target address I do have it because I when I already did scan but let's go ahead and just assume we don't have it all right and see what if it can find our devices and then once we find the devices it can we can just go ahead and select okay which one device we want to go ahead and hack let's go ahead and hit enter so what it's doing is it's using the the blue EZ to go ahead and scan for all the Bluetooth devices in the area and so you can see we have a a a Android device right here it says do you want to use one of these known devices yeah let's yeah I do want to use one of those enter the number of the device one and yes I want to use the first payload yes but beautiful all right that's right okay and my phone just opened up to hackers arise.com all right here's the okay processing string hackers arise it sent that string opened up that everybody's favorite website and if you give me a second I will take and do a screenshot okay to show you that it opened up that on my phone on this phone and give me a second to get it into the system here and there it is nice and so this is uh this is a screenshot of my phone uh as you can see we're having that's our eth anniversary I probably should have said this that start this is our this is our 8th anniversary so we're having a big sale and that's what comes up that's drop- down ad um for those of you who don't like ads I apologize but that's what that's the real life and that's the drop down menu if you're on our website and you see this don't fret just simply click anywhere on the screen and the ad goes away I've had lots of people say oh I can't read your your tutorials because there's an ad in the way well click away from it and the ad goes away but in any case we're we're when we're doing this recording we're in our eth and anniversary AR's birthday celebration and so we're offering 25% so that's why that drop down menu but you can see how powerful this is is that I can send any commands Okay into the phone in this case what we did is we sent them to a website uh you can send them to any website you want you can imagine that you know things could get malicious here or they could be you know a way of advertising you know if there's a we can imagine I can imagine I don't want to get too deep into the here about what people what people could do with this but just be creative and think about it that there's lots of things that you can send directly in now this is on unpatched Android phones the older phones okay before Android 11 cannot be patched all right so it applies to unpatched 11 Android 11 and and the future revision right and then the ones before Android cannot be patched right so there's a lot of phones that are going to be vulnerable to this type of attack this is a zero click attack I didn't have to touch anything I sent I connected to the phone from in this case I'm working from my Cali system it could be put into your phone and and uh and and make it mobile and then connect to Android devices in this case Android devices there's also script for Linux and for mac and for Windows this case it's Android and send whatever commands you want into that system we just did it by simply injecting a website into their phone and then their phone opens up to the website so I think it's a really interesting um development in in the recent last couple months so this came out the original vulnerability came out in December and then uh the proof of concept came out in January and then this blue ducky came out I don't know a couple of months ago or so so there's a a lot of possibilities that one can do this use this for but I think it also highlights that Bluetooth is an under appreciated attack Vector into the mobile device right it has a lot of vulnerabilities and that's why we've uh decided to to offer a class specifically on Bluetooth V abilities and attacks versions so did you say prior to version 11 it can't be patched but after version 11 so all the latest if I have Android 14 I could still be vulnerable to this you could be if it's unpatched right so if you've never allowed for the security updates right um then it's going to be unpatched those older phones cannot be patched yeah so so if you're in a in an area where you know people are using older phones and often times with Android people keep phones around a long time and so those systems cannot be patched and you can simply inject commands directly into them it's a great example of why you should keep your stuff up to date if you can exactly why you don't want to have old devices necessarily sorry go on yeah I I think it's it points out why security updates are so important because you know these things are coming up all the time there's constantly new vulnerabilities found and the developers are constantly putting out new patches we've seen in the last couple of months a lot of a lot of V come up from a variety of devices including fire walls came out right people are people are connecting the firewalls you know and and disabling uh them so it's there's there's all kinds of so you need to keep these up to date of course for a zero day there's not a whole lot that you can do but um as a minimum as a security engineer and your your responsibility for the organiz ation is to keep it as safe as possible one of the things you need to do is make sure that things are patched right but patching often times creates its own problem so this is why a lot of firms have their own patching area team that does it because sometimes patches can break systems so before you go ahead and roll out a patch on all of your systems test it first right for the individual that's probably not going to be a realistic but often I find with individual ual sometimes people will put off patching put off patching because they don't want to go through the the downloads and wait for it so there's a I haven't tested but I'll bet you there's millions of phones that this is is going to work against that are unpatched so this is this was for Android but you said there's Bluetooth attacks for Linux and windows and other operating systems right there is there is a separate uh proof of Concepts out there against uh Linux Mac OS and windows so the really the vulnerability is in Bluetooth right but there slightly slightly different scripts to be able to exploit Bluetooth on those devices yeah I think for a lot of people occupy the web neighbors are making a lot of noise with their speakers right so I think a lot of people I'm not suggesting anyone do that but it's if it's possible for someone to like hack their speakers and Destroy them then the Music Stops right well you could I mean I I haven't tried this but I think that you could basically go you can send any command into the system right and assuming it's a a Linux system yeah you know you could send something in you know to shut down for instance or you know rm-rf those of you who are Linux officient AOS know what that'll do it'll basically Wipe Out the entire operating system so those are all possibilities but those this particular script blue ducky only works against Android but there are other point proof of Concepts out there for Linux Mac and windows which you could use to send inject command so there's a lot of possibilities here right and there's so many Bluetooth connected devices I mean think about it in in your home how many devices are using Bluetooth one of the things talking about the you know knocking out the speakers one of the things that we've done is to be able to use a SDR okay A softwar Defined radio to jam a Bluetooth speaker so remember not always but often times these speakers are Bluetooth speakers right yeah and they're taking a they're taking a 2.45 gigahertz message the same as you know the Wi-Fi same frequency and actually same frequency as Bluetooth as well and you can send out a jam signal and break up that signal it doesn't stop it entirely what it does is it garbles it you know so that the person who's trying to blast their music in your next door is is not going to get something that's Pleasant they're going to get something that's very concerting I think we should get you back to that one okay we'll plan on do doing that one so we can put on some really Pleasant music and then basically send in a lot of noise okay between the Bluetooth device that's sending the music to the speaker so we can put in a bunch of garbage in between there and what you end up with is a mess is a music that's very unpleasant to listen to hackrf will work at 2.5 GHz and it can send us signal so yes it works with that it'll work with in my case here I was using the lime mini to do it but I haven't tried it with the hack RF I'll try it with the hack RF and maybe we can do that in a future that great and you'll see that the music just becomes bunch of garbled mess and so that the person who's you know is being obnoxious to all their neighbors by blasting their music is going to get a very unpleasant sounds coming out of their speakers because what you do is that you're just sending in a bunch of random inputs into their device okay into the stream into the stream between their devices and so they get some of the music but not all of it and it becomes a bunch of very unpleasant sounds everyone watching let us know if you want to see that I think it'll be fun uh obviously don't recommend that you do that but it's just show you the vulnerabilities right in in this technology will will YouTube allow us to do that would that be something that will break your we we'll take some like classical music or something that's non-copyright SOI by the way we can't end the video without showing you books I've had this book on display for the entire video so hopefully someone noticed that but you're also the author of Linux basics for hackers so for everyone watching we have done we still hoping to complete it but we've done quite a few videos on this book so I've link that below and also Network basics for hackers which I love um occupy the web got to get you back back for more videos on perhaps more Linux more networking Basics and also becoming a master hacker and let's do some SDR as you know some some of these SDR I think this is a really underappreciated area is being able to hack radio signals which you know when people hear hacking radio signals they think of their you know the music player in their car or in their home but there's so many of the devices in our world use radio for communication we got a lot to we've got a lot to cover man so thanks again for sharing OTW really appreciate you coming on the channel and you know freely sharing your knowledge it's always been in the past I think sometimes where people have haed their knowledge but I really appreciate you sharing thanks so much thanks for having me David I hope you enjoyed this video if you did please like it and please consider subscribing to my YouTube channel I'm David Bumble and I want to wish you all the very best
Info
Channel: David Bombal
Views: 115,675
Rating: undefined out of 5
Keywords: android, samsung, pixel, google, apple, windows, microsoft, linux, keyboard, ducky, bluetooth, blue tooth, flipper zero, iphone, iphone 15, google pixel, ble, crash, hack iphone, hack android, ios, iphone bluetooth, wifi hacking, flipper zero wifi, wifi, cybersecurity, scanner, hacking, ethical hacking, hacker, wi-fi, wpa2, wireless security, wifi flipper zero, hack, kali linux, wifi deauth, phone, bluetooth iphone, flipper zero ble, bluetooth flipper zero, python, raspberry pi, pi, pi blue tooth, asus
Id: IevVEUzXA30
Channel Id: undefined
Length: 35min 14sec (2114 seconds)
Published: Sun May 12 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.