Graduate Operating SystemsGraduate Operating SystemsMini-Project:Mini-Project:

Hacking Bluetooth In Linux

Alan Joseph J Caceres

Overview

• Hacking Bluetooth in Linux

• Modifying Linux Bluetooth stack to pass a sequence of bytes to a device in order to establish a connection.

Introduction to BluetoothIntroduction to Bluetooth

3

• What is Bluetooth?– Form of wireless communication

– Short-range

– Connect multiple devices

– Low data rate compared to Wi-Fi

Introduction to Bluetooth

• Form of wireless communication– Similar to Wi-Fi (IEEE 802.11)– Uses short-wavelength transmissions within 2.4GHz

range in the public radio spectrum– A form of ad-hoc networking – It follows the IEEE 802.15 standard for Wireless

Personal Area Networks (WPAN)

Introduction to Bluetooth

• Short-range– Because of the short-wavelength used for

transmission; distance is limited– Low power device minimizes transmission distance

as well– Advantageous for creating Wireless Personal Area

Networks

Introduction to Bluetooth

• Connect multiple devices– Excellent for ad-hoc networking– Devices can create Piconets–Master / Slave devices can switch roles as needed.– Devices can range from headsets to keyboards

and mice to gaming consoles like Nintendo's Wii gaming console.

Bluetooth on Linux Linux distributions using the Linux kernel

2.4.6 and later implement the Open Source bluetooth stack BlueZ.

BlueZ provides different modules for the Linux platform to interface with various bluetooth enabled devices and services.

Bluetooth on Linux

For this mini-project we will be looking at the latest version of the BlueZ bluetooth stack; BlueZ 4.101.

How can we use a sequence of bytes to establish a connection between two bluetooth devices?

Checking out the source

In the BlueZ bluetooth stack there are many modules that are provided to assist in the “pairing” of various bluetooth devices.

Where do they store the passkey for these devices? It has to be in one of the modules.

A little info...

Bluetooth devices have a “master/slave” relationship.

When two bluetooth devices establish a connection between each other they communicate via their Media Access Control (MAC) address.

Master meet slave

After a connection between bluetooth devices have be established, the “master” device need only request the “slave” by its MAC address to initiate a connection if it becomes severed.

This feature is what I will be exploiting.

Hacking it

In the BlueZ bluetooth stack there is a file called hidd.c that performs the connection authentication and encryption.

There are specific functions within this class that use the struct bdaddr_t which is an unsigned int array.

Hacking it.

The unsigned int array within bdaddr_t has a size of 6. This is basically to hold the MAC address information in integer form.

A MAC address is basically six hexadecimal numbers. A call to the function str2ba() converts this into the bytes for the bdaddr_t struct.

Use the MAC

Knowing the MAC address of both bluetooth devices is all that is needed to perform a “pairing”.

By hard coding the MAC address of both bluetooth devices into the bdaddr_t src and dst variables this would allow the devices to stay permanently paired.

Use the MAC

An example would be seen in the request_authentication() method that has two bluetooth device addresses as parameters for source and destination address.

Removing these parameters or setting their default values to the devices' MAC addresses should immediately pair them when they are in range.

Tricky tricky

Some devices may have MAC addresses that do not play well with the bluetooth stack. This may be because they contain 00 as the beginning or ending part of the address.

They may also use a modified way of connecting to a host machine such as using the host machine's address reversed as the passkey.

Hard-coding may be a way to circumvent this kind of trickery.