CVE on radio technology :D

neelam
4 min readJun 8, 2021

This blog is not about any bounty tricks moreover it’s based on the CVE I received this year on a product.

In our daily scenarios we have been using Bluetooth technology for connecting headphones, mouse, smartwatch, etc …but have you ever thought of finding bugs on that device?

What if you can connect the device without pairing it with your phone and perform any particular action :D sounds interesting right 😉

So let’s start and see how I controlled the device via my terminal.

Okay!! While performing any BLE attack you need few tools such as:

· CSR dongle 4.0 or 5.0 (depends on which Bluetooth version the device is working in my case it was 4.0)

· Android phone of course

· Device itself on which you want to attack

In the very first phase, we must do some recon to identify the address of BLE.

Command-hcitool -i hci1 lescan

Once we have gathered the address we can further move forward to connect the device using gatttool

Command-gatttool -I -I hci1 -b <ble address>

Now, to get information about service and characteristics

Command-primary

In the screenshot above information given is attribute group handle and uuid of specific device 1801 is used for general information like device name, appearance, etc.

--

--