1
00:00:06,610 --> 00:00:09,920
- Bluetooth as a protocol has
been around for quite a while.

2
00:00:09,920 --> 00:00:13,840
Originally created, the
specification created in 1994

3
00:00:13,840 --> 00:00:16,240
through a conglomeration of companies.

4
00:00:16,240 --> 00:00:19,860
We had Ericsson, IBM,
Intel, Toshiba, and Nokia.

5
00:00:19,860 --> 00:00:21,650
They all came together looking for a way

6
00:00:21,650 --> 00:00:24,933
to transmit data
wirelessly between devices,

7
00:00:25,960 --> 00:00:28,680
maybe a phone, maybe a
laptop, maybe computer,

8
00:00:28,680 --> 00:00:31,380
whatever, they wanted to do
wireless transfer of data.

9
00:00:32,230 --> 00:00:33,760
So they came up with Bluetooth.

10
00:00:33,760 --> 00:00:35,770
Specification 1994.

11
00:00:35,770 --> 00:00:38,310
The Bluetooth SIG or
special interest group

12
00:00:38,310 --> 00:00:40,610
was formed in 1998.

13
00:00:40,610 --> 00:00:41,473
As of now, in the 2020s,

14
00:00:41,473 --> 00:00:43,040
As of now, in the 2020s,

15
00:00:43,040 --> 00:00:46,270
we are over 35,000 member companies

16
00:00:46,270 --> 00:00:49,380
as part of the Bluetooth
special interest group.

17
00:00:49,380 --> 00:00:52,770
Any company can go and
join the Bluetooth SIG.

18
00:00:52,770 --> 00:00:55,380
And with that, you receive
a unique identifier

19
00:00:55,380 --> 00:00:56,970
for products that you create

20
00:00:56,970 --> 00:01:00,010
and you get to contribute to
the Bluetooth specification

21
00:01:00,010 --> 00:01:01,363
if you so choose.

22
00:01:02,630 --> 00:01:05,760
Now, there's kind of
two classes of attacks

23
00:01:05,760 --> 00:01:07,220
when it comes to Bluetooth.

24
00:01:07,220 --> 00:01:08,600
There's the old school stuff

25
00:01:08,600 --> 00:01:11,540
and now, there's the
Bluetooth 4 and 5 stuff.

26
00:01:11,540 --> 00:01:13,890
So, in the old school category,

27
00:01:13,890 --> 00:01:16,360
this is when we had, you
know, the early 2000s,

28
00:01:16,360 --> 00:01:18,100
we had the cell phones that could like,

29
00:01:18,100 --> 00:01:21,200
transmit a contact card via Bluetooth.

30
00:01:21,200 --> 00:01:23,770
And that's where these old
school attacks come into play.

31
00:01:23,770 --> 00:01:25,730
You could send messages with Bluetooth.

32
00:01:25,730 --> 00:01:27,040
We have four we're looking at here,

33
00:01:27,040 --> 00:01:28,557
Bluejacking, BlueSniffing,

34
00:01:28,557 --> 00:01:31,590
BlueSnarfing and Bluesmacking.

35
00:01:31,590 --> 00:01:32,950
Bluejacking, as we can see here,

36
00:01:32,950 --> 00:01:35,900
is sending messages over
Bluetooth through contact sharing.

37
00:01:35,900 --> 00:01:39,640
So you could create a new
contact, put a message in there,

38
00:01:39,640 --> 00:01:43,240
like, you know, I see
what you're doing online

39
00:01:43,240 --> 00:01:44,580
and you're sitting in the coffee shop,

40
00:01:44,580 --> 00:01:46,633
you send it to someone, you know.

41
00:01:48,680 --> 00:01:50,360
BlueSniffing is,

42
00:01:50,360 --> 00:01:54,420
it's like war driving
for wifi, except you are,

43
00:01:54,420 --> 00:01:56,930
you know, seeing which Bluetooth devices

44
00:01:56,930 --> 00:01:58,140
exist in certain places,

45
00:01:58,140 --> 00:02:00,490
tying that to a physical
location on the earth.

46
00:02:01,430 --> 00:02:03,520
And now you know that a
Bluetooth device exists there.

47
00:02:03,520 --> 00:02:07,970
However, most of the time
Bluetooth devices are moving.

48
00:02:07,970 --> 00:02:11,060
BlueSnarfing, stealing data via Bluetooth.

49
00:02:11,060 --> 00:02:15,350
And Bluesmacking, denial of
service affecting availability

50
00:02:15,350 --> 00:02:17,720
of the target device.

51
00:02:17,720 --> 00:02:19,740
So I mentioned Bluejacking,

52
00:02:19,740 --> 00:02:23,050
creating a contact,
sharing it via Bluetooth

53
00:02:23,050 --> 00:02:25,340
in order to, as we see here,

54
00:02:25,340 --> 00:02:30,340
elicit a response from your
target or gorilla marketing.

55
00:02:30,480 --> 00:02:33,790
So, as you're walking around
downtown San Francisco,

56
00:02:33,790 --> 00:02:35,790
you are constantly
sending out this contact

57
00:02:35,790 --> 00:02:39,283
saying, hey, go eat at Joe's
sandwich shop as an example.

58
00:02:40,680 --> 00:02:44,320
Some tools used for
these old school attacks.

59
00:02:44,320 --> 00:02:46,470
I have all the URLs listed here,

60
00:02:46,470 --> 00:02:49,280
from Bluetooth browser down to Bluediving.

61
00:02:49,280 --> 00:02:50,630
Take a look at these tools,

62
00:02:50,630 --> 00:02:53,200
given the current state of Bluetooth

63
00:02:53,200 --> 00:02:55,770
versus what it was 20 years ago,

64
00:02:55,770 --> 00:02:58,333
the tools have changed a little bit.

65
00:02:59,260 --> 00:03:01,170
So we talked about a
lot of vulnerabilities

66
00:03:01,170 --> 00:03:03,400
that existed, you know, 20 years ago.

67
00:03:03,400 --> 00:03:06,430
But is Bluetooth still
relevant in the 2020s?

68
00:03:06,430 --> 00:03:09,030
Absolutely. And it's a lot more fun.

69
00:03:09,030 --> 00:03:11,970
'Cause back then, it was just
audio and contact sharing

70
00:03:11,970 --> 00:03:13,780
and you know, you got your headset on

71
00:03:13,780 --> 00:03:15,630
and everyone's walking around with their,

72
00:03:15,630 --> 00:03:17,730
you know, big microphone and looking cool.

73
00:03:17,730 --> 00:03:21,470
But now in the 2020s,
we have Bluetooth Smart,

74
00:03:21,470 --> 00:03:24,160
came around with Bluetooth version 4.

75
00:03:24,160 --> 00:03:27,840
And with Bluetooth Smart
or Bluetooth Low Energy,

76
00:03:27,840 --> 00:03:29,140
we have the ability

77
00:03:29,140 --> 00:03:32,930
to very easily interact
with Bluetooth devices,

78
00:03:32,930 --> 00:03:36,180
change settings, receive
data, all without pairing.

79
00:03:36,180 --> 00:03:39,570
So, it becomes a very interesting avenue

80
00:03:39,570 --> 00:03:42,480
of investigation of smart devices.

81
00:03:42,480 --> 00:03:45,980
And when we get into the
IoT section of this course,

82
00:03:45,980 --> 00:03:47,760
you'll see a lot more about Bluetooth.

83
00:03:47,760 --> 00:03:50,570
But, we do need to talk about the fact,

84
00:03:50,570 --> 00:03:53,220
particularly 'cause we're
in this wireless section,

85
00:03:53,220 --> 00:03:56,980
some tools you can use to
interact with Bluetooth devices.

86
00:03:56,980 --> 00:04:00,200
So, we have nRFConnect and Gattacker.

87
00:04:00,200 --> 00:04:01,490
G attacker.

88
00:04:01,490 --> 00:04:04,140
I'm not exactly sure the correct
pronunciation of the tool

89
00:04:04,140 --> 00:04:05,960
but let's take a look at nRFConnect first.

90
00:04:05,960 --> 00:04:08,290
So, nRFConnect comes in mobile version

91
00:04:08,290 --> 00:04:10,080
as well as a desktop version.

92
00:04:10,080 --> 00:04:12,620
The screenshot here is
from the mobile version.

93
00:04:12,620 --> 00:04:14,620
And what I did was with this screenshot,

94
00:04:14,620 --> 00:04:16,800
I installed the application
and I started it.

95
00:04:16,800 --> 00:04:20,650
And what it does is it
scans the local area,

96
00:04:20,650 --> 00:04:22,730
looking for Bluetooth devices

97
00:04:22,730 --> 00:04:23,900
and then I'll show them to you.

98
00:04:23,900 --> 00:04:25,680
So I found one, I clicked on it

99
00:04:25,680 --> 00:04:29,340
and we can see here that
the self-identified name

100
00:04:29,340 --> 00:04:31,610
of this device is battery monitor.

101
00:04:31,610 --> 00:04:32,800
I don't know what this is,

102
00:04:32,800 --> 00:04:36,150
but it's in my house, which
is really interesting.

103
00:04:36,150 --> 00:04:39,560
I hit connect and I can then
enumerate the GAT database.

104
00:04:39,560 --> 00:04:41,850
GAT is generic attribute database.

105
00:04:41,850 --> 00:04:45,020
And I can see what
characteristics this device offers

106
00:04:46,070 --> 00:04:47,910
that I might be able to read.

107
00:04:47,910 --> 00:04:49,620
Now this one right here,

108
00:04:49,620 --> 00:04:51,963
if I could circle that real quick,

109
00:04:53,070 --> 00:04:54,960
it has the property of notify.

110
00:04:54,960 --> 00:04:56,180
And what this means is that

111
00:04:56,180 --> 00:04:58,380
you can subscribe to this characteristic

112
00:04:58,380 --> 00:05:00,550
and receive, provided you're connected,

113
00:05:00,550 --> 00:05:02,430
receive updates whenever it changes.

114
00:05:02,430 --> 00:05:06,050
And it was every second,
this data was changing.

115
00:05:06,050 --> 00:05:07,730
Now, this is an unknown characteristic.

116
00:05:07,730 --> 00:05:08,870
So, it's proprietary

117
00:05:08,870 --> 00:05:12,030
to whoever made this
particular battery monitor.

118
00:05:12,030 --> 00:05:12,863
But,

119
00:05:12,863 --> 00:05:14,980
and I don't know what
this data is, of course.

120
00:05:14,980 --> 00:05:15,813
Now,

121
00:05:15,813 --> 00:05:18,560
I start with the whole reverse
engineering process, right?

122
00:05:18,560 --> 00:05:21,220
See if I can figure out
what that device is.

123
00:05:21,220 --> 00:05:23,610
And then, also, look for characteristics

124
00:05:23,610 --> 00:05:24,870
that I can write to.

125
00:05:24,870 --> 00:05:26,800
So this little up arrow right here

126
00:05:26,800 --> 00:05:30,470
will allow me to send
data to a characteristic.

127
00:05:30,470 --> 00:05:32,810
This is a lot of fun to play with.

128
00:05:32,810 --> 00:05:35,910
If you're sitting in the
passenger seat of a car sometime,

129
00:05:35,910 --> 00:05:37,470
fire up nRFConnect desktop

130
00:05:37,470 --> 00:05:39,593
and see what you can
connect to and play with.

131
00:05:40,560 --> 00:05:43,570
And the next application
G attacker or Gattacker,

132
00:05:43,570 --> 00:05:45,120
again, I'm guessing it's Gattacker

133
00:05:45,120 --> 00:05:47,450
because generic attribute attacker

134
00:05:48,640 --> 00:05:50,060
is how it might be pronounced,

135
00:05:50,060 --> 00:05:51,410
I'm not particularly sure.

136
00:05:51,410 --> 00:05:53,880
But, it is essentially a proxy

137
00:05:53,880 --> 00:05:56,320
for Bluetooth Low Energy connections.

138
00:05:56,320 --> 00:05:57,410
Very interesting.

139
00:05:57,410 --> 00:05:59,880
So you can see here, it creates
copy of the attacked device

140
00:05:59,880 --> 00:06:01,430
in the Bluetooth layer.

141
00:06:01,430 --> 00:06:04,070
Then the phone would
connect to the desktop

142
00:06:04,070 --> 00:06:07,400
which is emulating the
device that you are attacking

143
00:06:07,400 --> 00:06:09,490
then proxying the data through.

144
00:06:09,490 --> 00:06:11,890
So, you get a machine
in the middle situation

145
00:06:11,890 --> 00:06:15,270
wherein your computer becomes that device,

146
00:06:15,270 --> 00:06:17,030
you're proxying the data back and forth.

147
00:06:17,030 --> 00:06:18,220
And what can you do with that?

148
00:06:18,220 --> 00:06:21,230
You can sniff it, modify it, intercept

149
00:06:21,230 --> 00:06:23,260
and you know, take control,

150
00:06:23,260 --> 00:06:25,480
what sort of authentication is included

151
00:06:25,480 --> 00:06:27,240
in that exchange of information.

152
00:06:27,240 --> 00:06:28,073
A lot of fun.