Cloning Bluetooth Device

November 21, 2012, by | Start Discussion

[Note: This demonstration is based on article “Bluetooth Reconnaissance – Watching over Invisible”. Please go through it before moving forward]

Well in the previous section we saw that how to find the devices which are in visible as well as in invisible mode using different tools. And also understood the different terms we get while scanning process.

Here we will recall one scan information.

So here in first block the Bluetooth addresses given then the clock offset and then class information. By looking at class information we can conclude which of device we have scanned.

In this section let’s play with our own Bluetooth interfaces, so that we can prepare them for attack.

Initial State:

The above screenshot is of my hci1 external Bluetooth dongle’s initial configuration. Specially look at BD_ADDR, Name and Class.

Basic and most important, first we will change BD_ADDR of device.

#bdaddr -i hci1 <new_bd_addr>

As like hci1, we can change address of all of Bluetooth devices as want –

In above screenshot, you can see that both hci0 and hci1 device’s BD_ADDR is changed.

hci0 to AA:AA:AA:AA:AA:AA
hci1 to BB:BB:BB:BB:BB:BB

Now effectively rather than changing address to all A’s or all B’s, we can clone our device to any other Bluetooth devices.

First scan the air:-

#hcitool scan

Why not to pick up android BD_ADDR?

#bdaddr -i hci1 <BD_ADDR>

You can cross-check the configuration by-

#hciconfig–a

So now we successfully changed the BD_ADDR. Interesting note is once BD_ADDR is changed, it will remain forever.

Now let’s change our device name –

#hciconfig hci1 name “android”

You can cross-check again and verify that name is also changed.

So now, does our Bluetooth device will act as phone? The answer is no. You can observe the class field. It is still 0x000000.

Let’s change its services too…

#hciconfig hci1 class 0x58020c

Now you can clearly see that we changed the BD_ADDR, name and also class of our device as per our wish.

You can clearly see with these settings, when scan is made through smartphone,bt-0 which is default Bluetooth interface for which we didn’t make any changes. And name android is nothing but hci1 dongle, which we converted into android smartphone.

The question is why to do these changes?

Basically in certain premises if any particular Bluetooth type device is blocked or not allowed, we can simply move to any other device with just few commands. The above setting also plays very important role in many attacks which we will look further.

Again the question is while doing these configuration changes how to find that on which class to move?
URL: http://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html

Find class of any device you wants to pick up.

As per your need, you can pick up any type of device with the services you want as shown above.

References:

  1. http://en.wikipedia.org/wiki/Bluetooth
  2. http://www.bluetooth.com
  3. http://linux.die.net/man/8/hciconfig

Author bio not avialable

Leave a Reply