Bluetooth: The Next Step

-

Somewhat less popular but still viral videos of the Flipper Zero show a user pushing some orange buttons and every cellphone in the room going haywire. Their users look about, confused by this unforeseen turn of events. Meanwhile, the perpetrator laughs to himself. So, is this real or more wannabe malarkey? Yeah, it's mostly real. 

The Flipper comes equipped with a Bluetooth module. This module can do quite a few things, but I haven't done most of them, so I'll only write about what I know. In the case of the above story, the Flipper is sending out Bluetooth pairing requests on all points on the Bluetooth spectrum. The cellphones take these requests at face value and send a notification to the user that a device (usually headphone, earbuds, airpods, etc) is trying to connect. The moment the user dismisses this popup, another takes its place, and then another, and another, until either the Flipper user has had his fun or the unfortunate victims manage to turn of their phones. 

That's a nice prank, but what about some other functionalities? Here's a good one: the Flipper can send BadUSB scripts through Bluetooth as wel as a wired  connection. Okay, but why does it matter? In some secure areas, USB ports are closed off, accessible only by the IT department. Any peripherals have to be cleared with IT before being plugged in. Bluetooth, however, can be a bit more lax with protocol, allowing a malicious hacker to execute a scripts when it would otherwise be impossible.

"Well, that's nice and all," you might say,  "but it's still no good without physical access to your target computer." On a surface level, that would be true, but you'd be forgetting the single greatest vulnerability in ANY company's system -- people. 

Computers are predictable, human being are not. In many cases, it's easier to let an ignorant target let you in than it is to break in. In the case of Bluetooth, your goal is to get a target to connect to your Flipper's Bluetooth. This would be very difficult, but getting someone to connect might not be. A bonus of the Bluetooth connection is hat BadUSB scripts can be executed on cellphones as well as desktops and laptops. 

Picture this: a man on a subway discretely reaches into his pocket and pushes a button. Suddenly, everyone wearing earbuds (which means quite a few) and everyone on their phone (quite a few more) get spammed with connection alerts from a Bluetooth speaker. They dismiss the alerts. A new one takes its place. They dismiss that one too. A new one takes its place. They turn off their phones and turn them on again. The alert persists, preventing them from even disabling Bluetooth on their phones. Eventually, in hopes that it might stop the problem, a few of them accept the connection request. Their phone screens flash around for a moment while the BadUSB script grabs their personal information from their phones and loads it to the Flipper's SD card. As quickly as it started the whole thing stops, devices behave normally again, and everyone goes about their day, unaware that they've been hacked.

That's an interesting little concept. There are problems with it, of course, like the fact that the scripts would only work on Apple OR Android phones, but not both at once. However, the concept is sound enough. 

More targeted attacks are also possible, but a bit more difficult. Let's say you know your target is using a certain kind of airpods. Wait until they're wearing them and then send an airpod connection request to the target's phone. They'll likely think that the airpods have momentarily disconnected and accept without a second thought. Immediately, your scripts execute, carrying out whatever havoc you had planned. That's called an evil twin attack, which I'll write more about later. Believe me, it gets much more interesting and much more dangerous.

Comments

Post a Comment

Popular posts from this blog

Introduction: The Flipper Zero

-
In august of 2020, an odd little device was put on the market. It was cute, white and orange, and would be more influential than anyone expected. This unassuming little handheld toy was marketed as a pen-tester's playground. For many of the real tools used by cyber security professionals, the flipper zero came equipped with a downsized (and powered) but fully functional version.  Within a few months, rumors about his device spread like wildfire all over the internet. Videos popped up showing it doing everything from opening charging ports of Teslas to cracking electronic locks with the push of a button. People would change the channels on restaurant televisions, turn their menu screens to news channels, and much more. Its sale was banned on Amazon after rumors arose that it had credit card skimming capabilities and its sale was banned entirely in Canada after videos showed it getting into locked cars.  So, what is this device really? What can it do and what can't it do? Which ...
Read more

RFID and NFC: The Key Issue

-
 Some of the more popular demonstrations of the Flipper Zero's capabilities are of the RFID and NFC functions. Viral videos showed the Flipper instantly bypassing electronic locks on hotel rooms, homes, businesses, and even cars. Others showed it copying and emulating credit card information. These videos earned the Flipper Zero a nation-wide sales ban in Canada as well as a sales ban on Amazon.  But is there any truth to videos? It's a bit complicated. The Flipper comes with built in RFID and NFC readers, writers, and emulators. Using this function, something like a business key card can be scanned, cloned, and emulated. To the lock, there is no difference between the emulated code from the Flipper and the actual key card. It's a neat little function, but without having physical access to a card, there's not much you can do. In most of the door unlocking videos, that's all that's happening -- they've cloned a card and are emulating its signature. I said mos...
Read more

Sub 1-GHz: The Key Fob

-
 Some of the first viral videos to include the Flipper Zero were of people driving by Teslas and opening the charging port. Once the Flipper had gained a bit of momentum online, more videos came out, this time unlocking doors on various cars, or even starting the car, all with the push of a few orange buttons. In response to the potential for car theft, Canada banned the sale of the Flipper outright. So, is this fact or more fiction? Well, here's where things get interesting. As usual, it's a bit of both. The videos of people popping open the charging ports of Teslas are, for the most part, completely real. Some videos of doing things like unlocking car doors are also real... sort of. You see, cars have used radio signals to remotely perform operations for some time. Your car's key fob is simply a little radio made to serve only the purpose of making your car easier to use and interact with. When you push the unlock button on your key fob, it sends out a radio signal. Your ...
Read more