You are on page 1of 11

Bluetooth Hacking: Case Study

Harshil Shah
New York Institute of Technology

This paper briefly describes the
protocol architecture of
Bluetooth, different kinds of
attack on Bluetooth enabled
devices and mitigation
techniques. Several types of
attacks are described.
Bluetooth, Bluetooth hacking,
bluesnarfer, bluejacking, bluesniping
Bluetooth is one of the wireless
technologies which are widely used
these days. Bluetooth is standard
communication protocol for short
range communications. Bluetooth
operates in the range of 2.4GHz.
Cellphones, computers, PDAs and
headsets are a few devices that
commonly use Bluetooth for
synchronizing email, playing music,
sending phone data. Bluehacking,
bluejacking, bluesnarfing and
bluesnafting are attacks that can be
done over Bluetooth.
Bluetooth Protocols
L2CAP: It is used to multiplex multiple
logical connections between two
devices using different higher level

RFCOMM: Its a transport protocol

used by Bluetooth devices that need
reliable stream based transport,
analogous to TCP. This protocol is
commonly used to emulate serial
ports, send AT commands to phones
and to transport files over OBEX
Object Exchange Protocol (OBEX):
Its a vendor independent program
which allows devices to transfer file
objects like business cards, data files
or calendar information. Its a higher
layer protocol which runs on different
There are several other protocols
along with adopted protocols which
are used over Bluetooth.

Figure: 1 Bluetooth Protocol Stack (Source
: Mode
3: It protects devices from
certain type of intrusions.
Bluetooth Security
Bluetooth defines three security
modes. All Bluetooth services have a
default set level of security. Some
services require authorization and
authentication and some of not.

Mode 1: It provides no security

enforcement, which means the
device doesnt take any steps to
protect it.
Mode 2: In this mode specific
application might be safe but no
additional protection is added.

Type of Attacks
There are different kinds of attacks
that can be employed against
Bluetooth devices like blujacking,
bluesnarfing, bluebugging,
bluelogging, bluedumping and car
One should note that
Bluetooth range is limited from 10m to
100m. So attacker needs to be in
range of the Bluetooth device.
Some of the common attacks on
Bluetooth devices are mentioned here.

Bluebugging: Bluebugging is
powerful attack mechanism, which
takes control of the target phone and
allows attacker to make calls, send
text messages, read messages and
accessing and modifying phonebook. It
also allows an attacker to connect to
internet, forwarding a call and much

takes advantage of poor

implementation of trusted devices
handling on some phones. The
attacker pretends to send vCard to an
unauthenticated OBEX Push Profile on
the targets phone. Once the attack
started, the attacker interrupts the
transfer process and then victim list it
as trusted device.

Bluejacking: Bluejacking is about

sending unsolicited message to open
Bluetooth devices by sending a vCard
with a message in the name field and
exploiting the OBEX Protocol.

Bluelogging: It is just used to detect

Bluetooth traffic over the air and
identifies details about the
discoverable devices nearby.

Bluesnarfing: In this attack attacker

finds target Bluetooth which is in
discoverable mode. It works by a
connection to most of the Object Push
Profile services and the attacker
receives file names. Hacker can
retrieve items like phonebook,
calendar and other personal
Helomoto: This attack first found on
Motorola phones, therefore it named
as Helomoto. Similar to the
Bluebugging attack, but here attacker

Project Discoveries:
Using different tools, information
about target Bluetooth device can be
gathered. Here in this project, tools
like bluesnarfer, btscanner and
blumaho are used.
To use bluesnarfer we need to create
specific environment.

After creating environment we can use

some tools to read phone directory.
Most of the new generation devices
are not vulnerable to bluesnarfer or
any type of Bluetooth hack.

Some of the devices like Nokia 6310i,

Sony Ericson W800i phones are
vulnerable to be hacked by these

Pinging Target Device

Bluesnarfer Commands


Using bluemaho we can get

MAC Address(bt_addr) of the
bluetooth device.

Also previous name of the

bluetooth device can be seen

Using sdptools we can get

Service Name

Protocol Descriptor List

Service RecHandle

Profile Descriptor List

Service Class ID List

Mitigating Attacks on Bluetooth

Do not leave Bluetooth devices

in discoverable mode.
o Active discovery tools
requires that devices be
in discoverable mode to
be identified, the attacker
targets devices that
responds to inquiry
requests because they
are easy to identify.
Use Bluetooth Keyboards which
uses encryption and
authentication to encrypt and
send data to the computer.
o To mitigate the threat of
passive Bluetooth
keyboard eavesdropping,
avoid using the HID boot
mode mechanism that
sends traffic in plaintext.
Users should use Secure Simple
Pairing instead of legacy PIN
authentication for the pairing
exchange process to mitigate
PIN cracking attacks.
By manipulating Bluetooth
friendly names, an attacker can
have many opportunities
ranging from possibility to
manipulate users in a social
engineering attack to a full
target compromise.

Information gathering of the
Bluetooth enabled devices is
Android and Apple devices are
not vulnerable to Bluetooth
hack because of secure
authentication system.

Nokia 6310i and Sony Ericson

W800i phones are still
vulnerable to bluesnarfer type
of tools. But, these devices are
hard to find in the market.
Still sniffing of the Bluetooth
devices is possible with certain
Bluetooth Keyboards which
transfer data as plaintext are
vulnerable to be hacked.

Additional Wireless
Technologies Hacking Exposed
Wireless: Wireless Security
Secrets & Solutions, 2nd ed.
2. Dennis Browning, Gary C.
Kessler. Bluetooth Hacking: A
Case Study. ADFSL Conference
on Digital Forensics, Security
and Law, 2009
3. Bluetooth (2015, May 04).
Wikipedia. Retrieved from
4. Bluetooth Core Specification
Addendum 1
5. Amit Saini, Akansha Marwah.
Amateurs Hack System
Professionals Hack Cars
6. Sil Janssens. Preliminary study:
7. Jing Su, Kelvin K. W. Chan,
Andrew G. Miklas, Kenneth Po,
Ali Akhavan, Stefan Saroiu, Eyal
de Lara, Ashvin Goel. A

Preliminary Investigation of
Worm Infections in a Bluetooth
8. John Padgette, Karen Scarfone,
Lily Chen. Guide to Bluetooth
Security, Recommendations of
the National Institute of
Standards and Technology