Android Bluetooth Hacking
ฝัง
- เผยแพร่เมื่อ 30 มิ.ย. 2024
- Big thank you to Brilliant for sponsoring this video! Try Brilliant for free (for 30 days) and to get a 20% discount, visit: Brilliant.org/DavidBombal
CVE-2023-45866 allows attackers to remotely control an Android phone (and other devices) without pairing.
Details: Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue. Source: Mitre
See CVE details here:
cve.mitre.org/cgi-bin/cvename...
nvd.nist.gov/vuln/detail/CVE-...
How to stop / mitigate this attack:
1) Upgrade your phone / install security patches on Android for versions 11 and later. Unfortunately earlier versions cannot be patched (Android 10 and earlier)
2) Note: For the script to discover the MAC address of the phone, the phone needs to be in pairing mode.
3) Turn off Bluetooth if not being used
// Script and instructions here //
GitHub: github.com/pentestfunctions/B...
// Occupy The Web Books //
Linux Basics for Hackers:
US: amzn.to/3wqukgC
UK: amzn.to/43PHFev
Getting Started Becoming a Master Hacker
US: amzn.to/4bmGqX2
UK: amzn.to/43JG2iA
Network Basics for hackers:
US: amzn.to/3yeYVyb
UK: amzn.to/4aInbGK
// OTW Discount //
Use the code BOMBAL to get a 20% discount off anything from OTW's website: hackers-arise.net/
// Occupy The Web SOCIAL //
X: / three_cube
Website: hackers-arise.net/
// GitHub CODE //
github.com/pybluez/pybluez
// Amazon LINKS //
Rasberry Pi 5:
US: amzn.to/3JZKoZD
UK: amzn.to/3JTBixC
ASUS USB/BT-500USB
US: amzn.to/4abnPfl
UK: amzn.to/3QDsOOO
// Playlists REFERENCE //
Linux Basics for Hackers: • Linux for Hackers Tuto...
Mr Robot: • Hack like Mr Robot // ...
Hackers Arise / Occupy the Web Hacks: • Hacking Tools (with de...
// David's SOCIAL //
Discord: / discord
X: / davidbombal
Instagram: / davidbombal
LinkedIn: / davidbombal
Facebook: / davidbombal.co
TikTok: / davidbombal
TH-cam: / @davidbombal
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
Hacking Wordpress Websites with Python in seconds (using the Dark Web and Telegram data)
00:00 - Bluetooth hacking quick demo
03:05 - Brilliant sponsored segment
03:57 - The Bluetooth vulnerability explained // OccupyTheWeb
05:26 - How the vulnerability works
08:16 - Bluetooth hacking demo
09:26 - Setting up for the hack // BlueZ
12:12 - BlueZ tools demo
13:50 - Scanning for Bluetooth devices
17:58 - Other tools
23:20 - Running BlueDucky // Hacking Bluetooth demo
25:50 - The possibilities of Bluetooth hacking
28:04 - Older Android versions are at risk // Keeping devices up to date
30:17 - Bluetooth hacking for other operating systems
30:52 - Hacking Bluetooth speakers
34:04 - OTW books & plans for future videos
34:52 - Conclusion
android
iphone
bluetooth
raspberry pi
macos
windows
samsung
pixel
google
apple
microsoft
linux
ubuntu
blue tooth
flipper zero
google pixel
ble
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#android #iphone #bluetooth - วิทยาศาสตร์และเทคโนโลยี
Big thank you to Brilliant for sponsoring this video! Try Brilliant for free (for 30 days) and to get a 20% discount, visit: Brilliant.org/DavidBombal
CVE-2023-45866 allows attackers to remotely control an Android phone (and other devices) without pairing.
Details: Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue. Source: Mitre
See CVE details here:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45866
nvd.nist.gov/vuln/detail/CVE-2023-45866
// Script and instructions here //
GitHub: github.com/pentestfunctions/BlueDucky
How to stop / mitigate this attack:
1) Upgrade your phone / install security patches on Android for versions 11 and later. Unfortunately earlier versions cannot be patched (Android 10 and earlier)
2) Note: For the script to discover the MAC address of the phone, the phone needs to be in pairing mode.
3) Turn off Bluetooth if not being used
// Occupy The Web Books //
Linux Basics for Hackers:
US: amzn.to/3wqukgC
UK: amzn.to/43PHFev
Getting Started Becoming a Master Hacker
US: amzn.to/4bmGqX2
UK: amzn.to/43JG2iA
Network Basics for hackers:
US: amzn.to/3yeYVyb
UK: amzn.to/4aInbGK
// OTW Discount //
Use the code BOMBAL to get a 20% discount off anything from OTW's website: hackers-arise.net/
// Occupy The Web SOCIAL //
X: twitter.com/three_cube
Website: hackers-arise.net/
// GitHub CODE //
github.com/pybluez/pybluez
// Amazon LINKS //
Rasberry Pi 5:
US: amzn.to/3JZKoZD
UK: amzn.to/3JTBixC
ASUS USB/BT-500USB
US: amzn.to/4abnPfl
UK: amzn.to/3QDsOOO
// Playlists REFERENCE //
Linux Basics for Hackers: th-cam.com/video/YJUVNlmIO6E/w-d-xo.html&pp=iAQB
Mr Robot: th-cam.com/video/3yiT_WMlosg/w-d-xo.html&pp=iAQB
Hackers Arise / Occupy the Web Hacks: th-cam.com/video/GxkKszPVD1M/w-d-xo.html&pp=iAQB
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
X: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
TH-cam: www.youtube.com/@davidbombal
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
00:00 - Bluetooth hacking quick demo
03:05 - Brilliant sponsored segment
03:57 - The Bluetooth vulnerability explained // OccupyTheWeb
05:26 - How the vulnerability works
08:16 - Bluetooth hacking demo
09:26 - Setting up for the hack // BlueZ
12:12 - BlueZ tools demo
13:50 - Scanning for Bluetooth devices
17:58 - Other tools
23:20 - Running BlueDucky // Hacking Bluetooth demo
25:50 - The possibilities of Bluetooth hacking
28:04 - Older Android versions are at risk // Keeping devices up to date
30:17 - Bluetooth hacking for other operating systems
30:52 - Hacking Bluetooth speakers
34:04 - OTW books & plans for future videos
34:52 - Conclusion
android
iphone
bluetooth
raspberry pi
macos
windows
samsung
pixel
google
apple
microsoft
linux
ubuntu
blue tooth
flipper zero
google pixel
ble
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#android #iphone #bluetooth
Get GPT to make a windows version :-) maybe even a gui 🙂
in ll my time doing this, occupy is the only person I have ever followed a tutorial from that didnt work, and its literally EVERY one he does.
hey david please do more andriod hacking videos, would be very helpful for boosting sercurity
This is happing to me combination with apps i cant tern off that changes my google setting then they back door it that way so how can i tern this off
I love that he initially ran "sudo apt clone" and then it magically changed to "sudo git clone" 😂
I'll have to try that with dnf
"Peace was never an option."
Phones not having switches is just irresponsible at this point.
sorry, what do you mean by a "swittch" on a phone?
@@domelessanne6357he probly means swtiches to physically disconnect those communication chips
Especially since they are the default 2fa.
@@domelessanne6357he means an on and off button. For some reason idiots think phones don’t have an off switch. Nobody tell them that you can!
@razerow3391 Incorrect assumption. What the OP means is a hardware cutoff switch for the wireless interfaces (Wi-Fi, Bluetooth, modem). Also, turning off the phone in some modern phones doesn't power off the Bluetooth module. This is used for tracking services like Find my Device on Apple products and some Android device manufacturers like Samsung and Google.
If you know what the speaker is. Technically you could write a patch for it to auto shutdown or reboot every so often. Then force the patch to the speaker or tv.
SDR stuff sounds AMAzing!
One thing companies should be held accountable for and they're not. Smdh, this is why I hate non-accountability and immunity in the tech industry.
There is NO way to know every vulnerability upon release. But they DO Offer Updates AND PATCHES SO non lawsuits are legit.
How on earth would that happen? In which country, would China adhere to your rules? Ideas like this would have kept us on dial up for the next fifty years if they were half practicable.
I would love that second video!! Always great to listen to OTW!!
I'll ask OTW - I think the bluetooth speaker / music video would be very nice to see :)
I always enjoy watching an amazing videos with OTW and thanks to you so much David now you have shown me a clear path to follow since I joint your channel 3 years back and thanks to you so much and waiting for more from you and your guests please.
Thank you David and Occupied for sharing the knowledge!
Please do make a video on how to send packets to the bluetooth streams ✌️
I'll ask OTW :)
It's a great thing you two are doing for us and myeslf and I, appreciates that a lot.
I wanna ask, can the payloads be edited?
yea
@@lowlevelcodingch great. Any idea how?
Would love to see more bluetooth work. Like the ubertooth and generics. As well as btsmash
Thanks so much David
You are very welcome!
combining this attack with a list of browser exploits on an aws server would be impressive. get a browser recognition script on the index page with php or java to identify the browser version and based on the version launch a specific exploit and gain access to the phone.
That's insane
;-) mmmhhh
NSA, is that you ? 😂
or develop a (CUSTOM) android malware and after accessing the target android device inject it to all installed apps or install it as a service 🥴🥴
David and he's rick rolls gets me everytime haha XD
I love it David! Keep up the amazing work! I have also a Raspberry 5 now i'll give it a test spin soon :D
Thank you!
Since this is an HID keystroke injector (as I understand it), does it need to unlock the phone (password or otherwise) before it can inject commands to other applications?
Yes
The device has to be unlocked for the scan to show up, only then you can retrieve the MAC address. In addition, it was necessary to agree to the pairing, otherwise the connection could not be established. I used Android 7.1.1 with a BQ Aquaris phone.
@@isrok20011
Good point. However, remember that social engineering is an important feather to have in your cap. In my house I could rename my host/attack machine to Sonos_BT-speaker or something.
SDR lessons would be awesome! 🤩 Hope you guys do that.
I'll ask OTW :)
this is really very scary in the wrong hands because there are millions of phones that fall prey to this bluetooth CVE. and the only option for most will be to buy a new device more scary even. hopefully options will come by to help them out. hopefully many people can learn of this as quick as possible. huge shouts to you David and OTW.
Did no one watch Person of Interest? Only me??
Sure, it went sappy in the later seasons but you gotta admit that their favorite mobile initial-access was via Bluetooth.
I SWEAR THAT'S ALL I COULD THINK ABOUT!!
Bluejacker wasnt it? Used to make me laugh as it was so unrealistic, but now.... plausable :D
Person of interest was excellent, and Harold did a lot of hacking
@@traida111 that's funny. You thought 'unrealistic' -- I thought 'I gotta look into that'
@@WoodyWilliams Well there wasn't much you could do around then. There were early exploits in early 2000's, but I'd put that down to early implementation vulnerabilities. When the show came out there were no bluetooth exploits. But near to the show's end there were a few that came out. So you were right to look into it. my assumptions let me down. But one interesting question I have based off this, is did this tv show inspire these hackers to pentest bluetooth and to find these exploits? If it did, that's pretty epic
Thank you, David🚀
You're welcome!
Thank you David, I'll keep updating my phone patches
Hey David Bombal, could you also do a Video about detecting remote Access to an Android Phone and how to protect against/ remove the remote Access.
Hi David
thanks for the great video , it was awesome
one question , how did you connect your pi to laptop ?
did you use HDMI cable or what ?
Ill be glad if you could help me and tell me ,
my main problem is that when im using ssh or vnc or stuff like this i dont have many permissions as you know
and i cant use tools that work with wifi
i bought a ttl cable to connect to pi
i wanted to ask you if you know any better ways :)
ssh
You didn’t have to change the default adapter value in the script, you could have just used the argument -adapter …I was the one that submitted the PR (pull 21) to specify adapter it haha
If curious:
pull/21 on BlueDucky Repo...
David bomball is so modern blue ducky came this year in january and hes already reviewd and teaching it!
I am not tech savvy, but I have read somewhere that spyware or malware can not always been erased via a factory reset as this setting only wipes out user data partition or something, and does not the reset system data partition on which the malware could be embedded. How can one reset system data partition for android devices for example?
Love these videos with OTW👍👍👍
Really appreciate both of you. wish you the best Sir.
You are most welcome
Love the videos with this guest
I basically keep Bluetooth off, if I'm not using a Bluetooth device at that time, so for me it's almost always off, but it's good to be aware of.
so this attack can be prevented if Bluetooth is off, right?
@@puneet7768 I don't know for sure. But I think so. Keep it off if it's unused.
@@noam65 that doesnt necessarily turn it off. LE is on in many devices. Those exploits are much harder to pull. For this here just lock your screen if you dont wanna turn off BT.
How to stop / mitigate this attack:
1) Upgrade your phone / install security patches on Android for versions 11 and later. Unfortunately earlier versions cannot be patched (Android 10 and earlier)
2) Note: For the script to discover the MAC address of the phone, the phone needs to be in pairing mode.
3) Turn off Bluetooth if not being used
also some wifi keyboards, mouses etc.
I thought of that combined with drone and some strong antena for both signals
Could one use this vulnerability to force a phone to place a call? That could be *interesting*
Been scrolling through the comments, this man really tries to answer alot of them. Thank you for this information david.
I try to answer as many as I can :)
Thanks to both of OTW and David! I would like to learn more from you regarding Android hacking !
i was waiting for some bluetooth stuff like this
David, the problem with keeping your devices up-to-date in that the providers only send updates for 2 to 3 years and then you're done. Most people have no idea, after that if or how they can get patches or updates. Too many of us can't go out an buy new phones every two years. So these people are just stuck in limbo for whatever new hacks that come along after that.
Another reason Custom ROMs are so important, but of course massive companies keep trying to kill them. I ONLY buy devices with unlockable bootloaders.
@davidbombal Could this be done from a laptop running Kali or from a rooted phone running NetHunter?
Thanks for this, so glad I bought a new phone. This is re-igniting me wanting to get back to studying.
It's really exciting whenever you interview OTW, and like he previously suggested that you interview Sean Dillon please make it possible to
Insane how such a small bug has implications this potentially bad!
No wonder my ear pods were acting weird lately.
Love your work, thank you.
3:10 they can be updated, they just to have a custom rom flashed (you can flash higher versions of android)
Thanks so much David(first Tim watch a video of 2 hour earlier) unlike years ❤
Awesome video David ❤
even on android 10 youll have to accept pairing request
this is essentially almost the same thing that the rubber ducky does with a usb, RICK ROLLED!
Check out the payloads - same as Rubber Ducky :)
the 2.1 BlueDucky script is IMHO Purposefully broken, to keep the majority of the less willing to use ingenuity and learn and fix it, most noob kiddies wont be rick rolling without learning something. unless I am wrong., i missed the first iteration of this POC. I feel like i have it halfway figured out though,. I mean seriously have you tried the 2.1 and can u get it to work as is? bluetoothctl does not report any devices back via said command until a scan finds the devices and they sit in recent memory, so i feel like its calling on something that won't happen as is.... lol im gonna fix it though. i used to know all the ins and out of the much lesser known mIRC scripting language so this is just so much like it i have to finish dusting off 20 years of not utilizing the knowledge.... but it did pay my rent all year with the bot i wrote that sent advertising for a referral program way back then, but til i get it through my stubborn skull its on........
Hey the ASU’s adaptor you suggest doesn’t work with Kali . Should I install drivers or something? Can you do a tutorial about this ?
Sir, for me it asks to pair manually and then when we pair, does the attack take place
Hey which Bluetooth adaptor would you recommend that would work well with Kali Linux ?
How can I use a blutooth adaptor instead of rubbery pi ?
lol yet another reason why the headphone jack should've never been removed
I have to pair the devices manually, tested on three different phones. One with android 14, one with android 9, and one with android 7. I've also tried out multiple bluetooth adapters, one with bluetooth 2.0 and one with bluetooth 5.0 . The 2.0 version had a flaw, where I had to edit the blueducky script so it connects with a different protocol. In the newer one it gives automatically the code that I've written for the 2.0 protocol pairing. What could be wrong here?
What's the range of this attack
I left my phone's Bluetooth on by accident a few days ago, then when I checked dit after a day
I saw a light blue Square around TH-cam app on my home screen which is the same square when I have an external keyboard connected and use the arrow keys to navigate the phone screen.
I was worried for a bit but then checked my files on the surface I don't see anything odd
Lastly
My device is a building with ~20cm thick bricks for walls and other buildings are about 3 metres away
Totally worth it to watch once again.🎉❤
Does speaker have to be in pairing mode/connected and paired? For anyone who already tested it
32:00 hold on an SDR dongle can transmit??? Had thought they were just receivers? It's a transciecer? Are these you bog standard cheap SDRs or are you talking about something pro level? Would an unlocked quangsheng uvk5(8) be able to transmit on the relevant frequency to achieve the same effect? Ive seen them used to jam remote car keys before.
@17:38 is an unobscured MAC address you tried to protect earlier masking it's right part.
There is no single way to penetrate a specific thing. You may need some basic methods, but you must search for the hole to expand it
wonderful video thank you sir
You don't need to modify the script, it clearly states that you can just specify which adapter to use with the --adapter argument.
Yeah I tested the script, interestingly REALME phone with android 13 and 11 is vulnerable , but the OPPO phones with older versions of android (I tested 9 and 10) is not vulnerable. There is a error message showing the pairing pin is not valid so I don't know about other brands but REALME is vulnerable
Like to see the video on the Bluetooth speakers ❤
My Discord members wanted me to check out your channel. Very interesting.
Can this tool be used without raspberry pi 4
Hi david, tried this one out with an old huawei p30 lite and it asks for permission first, even with an oppo of my friend? Is there away to bypass this?
its a coincidence how i just finished fixing my bluetooth adapter and you just dropped a bluetooth cve video
Doesnt work for all adapters.
This must not be an issue if you turn off bluetooth, right?
i had an apk which would do the same. It still works, bassicaly it sents a pair request spamming them and they will connect by accident (when playing games or such) and then i can sent keystrokes, 9/10 times it works.x
I tried this on my android 8 phone but I still had to press the pair button for it to work, idk if this is because it has been patched or if I am missing something
Can you make bug hunting video? How we start bug hunting as a beginner
Any bluetooth device you recommend that works properly? I used panda but its no longer scanning
Crazy...I was just playing with this last night
I've had problem, (error: Failed to enable SSP) and needed to change script, at line 107 in BlueDucky, there's code (ssp_command = ["sudo", "hciconfig", self.iface, "sspmode"] (just removed "1" at the end of line 107... and script rins runs fine, but cant connect to galaxy 6 ... " - error: connection refused ... "
Script renamed my kali machine into ROBOT POC ... but still connection refused
...
I have done it, ,,you need to remove device from bluetooth settings (in gui), 'couse i have connected kali with that device earlier, that was the problem. As soon as i clicked "forget device" it was ok then- now just need to get other "commands" for payloads...
Good information 👍
Can this work on any laptop that has Bluetooth or i need to get an external Bluetooth to be able to use this attack
Did you like not watch the video?
@@abhimanyusareen1670 I did watch it but he was using an external Bluetooth (Hi0)
Very interesting video. I imagine that this could be very damaging in the wrong hands. Very cool.
How can you protect the older Android from these attacks or any attacks or what can you download or install to prevent a lot of this any help is definitely appreciated
It said you need to be able to update it
Activate developer options and disable low energy bluetooth
Could you talk about malwares that hide in system paritition or recovery partition? Thanks!
I swear occupy the web is actually Tommy Edison 😂
Wonderfull video sir
Thank you vey much!
I'm a complete beginner and this is my second video
I had someone open up about 10 instances of a screen recording software somehow remotely and I don't have bluetooth enabled as far as I know. Any way I can prevent this happening? I know someone is getting on my macbook and I don't know how or how to stop them, my phone too
Can this be compiled and added to havock for rfone portapack fw?
Is it mandatory to have bluetooth external device to perform this attack??
How does a bluetooth adapter help?
when will there be a video about the attack on the phone?
Excelente video 🥺
Thank you!
Can i use windows? Also can you explain me what is the use of raspberry pi In this. Why can't I directly use my pc for it?
24:32 MAC is not blurred 🙈
PC is not blurred, either
Will you really go look for that ≈100m radius around his home to use that mac?
@@hetmanfokoAll the others are hidden - that's why. 🤔
18:04
i don't know enough to imagine a use case, the environment. other than maybe if it was on a train against a person sat infront of you
Did anyone else read the title card in Shang Tsun's voice?
can i try this with a Bluetooth connected wrist watch 🤔
Love from India ♥️🇮🇳
I love my note 9, hell its an extension of myself at this point but it is very hard to root without bricking it
I guess now it's either rooting and risk bricking or upgrade... neither of which im especially happy about :/
It Works, Just tried it out on my phone. Scary stuff
USB arsenal is missing in my nethunter
Ive already been looking at this and a self-replicating "package" that could jump from phone to phone. This hack in general could do some nasty shyt considering how many people are on their Bluetooth earbuds every day.
Asalam David, hope you having fun, i just wanted to ask you that can I install bluetooth🎶 in lenovo device of 2nd generation which does not support bluetooth?🤩♻
I will be waiting for your kind response.💰
Thanks in davance. 😊
Does this exploit work only on devices that enable dev mod