In this episode of the Wireless Threat Series Podcast, hosts Adrian Sanabria and Jon Bundy lay the groundwork on all things Bluetooth. They trace the tech from its 1994 origins through today's v6.2 spec, unpacking the two parallel stacks — Bluetooth Classic and BLE — and how they differ in power, speed, and security. They break down pairing methods, bonding, encryption gaps, and the surprising places Bluetooth shows up beyond your earbuds. Plus: a live sniffing demo.
[Anthony Jimenez]
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team.
On behalf of Bastille Networks, we would like to welcome you to today's podcast. Adrian Sanabria and Jon Bundy continue the wireless threat series by going back to basics with Adrian Sanabria and Jon Bundy, who will lay the groundwork on all things Bluetooth. They trace the tech from its 1994 origins through today's version 6.2 spec, unpacking the two parallel stacks, Bluetooth Classic and BLE, and how they differ in power, speed, and security. They break down pairing methods, bonding, encryption gaps, and the surprising places Bluetooth shows up beyond your earbuds, plus a live sniffing demo.
[Adrian Sanabria]
Welcome to the wireless threat podcast series sponsored by Bastille Networks. I'm Adrian Sanabria and joining me today is Jon Bundy. How are you doing, Jon?
[Jon Bundy]
Yeah, I'm great. How are you doing today, Adrian?
[Adrian Sanabria]
I am doing good. I'm always excited for these. I love gadgets.
I love geeking out about wireless hacking. And I'm excited particularly today because we're talking about Bluetooth, which is something that is kind of mysterious to me that I don't understand very well. So I'm looking forward to learning more about that.
So in this podcast series, we explore a new class of device or threat in each episode. As I just mentioned today, it's going to be Bluetooth. We help you understand the threat, walk through some real-life scenarios, and even do the occasional live demo, which I believe we have prepared for you today as well.
Ultimately, the goal is to answer the question, should you be worried about this? If you have any devices, threats, or attacks you want us to dissect on this podcast, please let us know in the comments. And as I mentioned, it's Bluetooth today.
And we were going to cover some Bluetooth vulnerabilities, but in prepping for this, we realized Bluetooth is so broad, there's so much going on there, that we kind of need to lay some foundation first, right, Jon?
[Jon Bundy]
Yeah, and you brought up a good point. Wi-Fi came out in 99, so did Bluetooth. So it's been around the same amount of time, but yet you've got all this experience.
We all have experience with WEP, WPA, cracking, sniffing. It's based on ethernet. We're pretty familiar with Wi-Fi.
It's still mysterious. It's RF. But Bluetooth, we just don't have the same tools or experience.
It's like a totally foreign beast, right? So let's dig into some of that background and try to understand it a little better.
[Adrian Sanabria]
Yeah, so the history of Bluetooth, as you mentioned, goes back to the 90s. I didn't realize it was the same time that Wi-Fi came out, that these both came out at the same time.
[Jon Bundy]
Isn't that crazy? It's wild. It was conceived like in 94.
So think back to that time, if you can. You know, there's no USB devices. Computers use serial connections.
They use proprietary connections. Phones were just, you know, flip phones, bar phones. They have proprietary headsets in these cables, and it was just a mess.
You couldn't connect your phone to your computer. You couldn't use different headsets. So originally in 94 or thereabouts, we thought, well, it'd be nice if we could get a wireless headset that wasn't proprietary.
The only wireless back then really was infrared, right, for exchanging things. They started back in 94, and then it evolved a little bit past the headset and said, well, what if we could just replace short cables, like serial cables? That was the rage, all these serial cables.
What if we could replace that? And it evolved into, let's have this low-power, royalty-free, short-range, low-cost thing that you can use for the pan, a personal area network where all your local devices could be connected easily, cheaply, ad hoc. And their first spec came out in 99.
[Adrian Sanabria]
I love that you say royalty-free because that's another thing that's invisible to most people. A lot of people don't realize the reason DisplayLink still exists separate from HDMI is HDMI has royalties that have to be paid. Every time there's an HDMI port on a device or somebody produces an HDMI cable, some of the money that you pay for in that cable or that device is going to some consortium.
[Jon Bundy]
There are still fees with Bluetooth to get certified, and that does go to the SIG, the Bluetooth Special Interest Group, which controls the specification. But to use it, just go ahead and use it. Some other neat trivia, I think a lot of people might know this, maybe they don't, but it was named after King Harold Bluetooth Gormson, who united the Scandinavian tribes back in the 10th century.
[Adrian Sanabria]
Bluetooth is someone's name?
[Jon Bundy]
Yeah. And in fact, the Bluetooth logo itself is the runic H and the runic B, and they smash them together. So if you ever look up, that's the letters for HP, Harold Bluetooth.
[Adrian Sanabria]
What?
[Jon Bundy]
Yeah. You know, these Nordic companies that were involved, like Nokia and whatnot at the time. But he united all the tribes, and they wanted to unite all of these proprietary serial connections and cables into one standard, and it's largely been successful.
I mean, here it is, 25 years later, still going strong, improving all the time. It's everywhere, right?
[Adrian Sanabria]
You just blew my mind. I will never see the word Bluetooth the same way again, or the logo.
[Jon Bundy]
Yeah, definitely look into the logo, it's a little neat trivia there.
[Adrian Sanabria]
So since the late 90s, we've gone through a ton of different protocol versions, and there's different tech stacks here. So from my perspective, not knowing anything really about how the protocol works, I'm aware that I connect to different devices, different ways. So if I'm connecting a Bluetooth keyboard, the operating system will tell me to type in a couple numbers and hit enter.
You know, if I'm connecting to a Bluetooth speaker, there's nowhere to type in numbers, there's no screen on my Bluetooth speaker, so I can't see a pin, I can't match it to anything. In the car, I'm usually entering a pin. I don't know if things are encrypted.
I don't know how the handshake works. Like I assume it's not too dissimilar from setting up like a TLS session or something like that. I've seen Bluetooth low energy advertised a lot.
And I do observe that my phone's battery drains more when I use it in my 2011 BMW. So I assume that's because I'm using the full fat Greek yogurt version of Bluetooth there.
[Jon Bundy]
Yeah, let's talk a little bit about the history of the spec. We'll talk about the tech stacks, encryption, pairing methods, going back to 99, they came out with their initial Bluetooth. There's mostly for these bar phones, flip phones, and connecting headsets, replacing serial cables, simple things designed to be low cost.
Next big one I would say would be 2004 with Bluetooth 2, that released something called enhanced data rate. So originally the spec allowed for a one megabit per second connection, Bluetooth 2 got that up to two or three megabits, great for audio and streaming data. Bluetooth 2.1 added some more security, that was in 2007. Bluetooth 3 was a little bit of a weird one, they dabbled with using Wi-Fi for even higher bandwidth transfers, they actually deprecated it later, so we don't talk much about it.
[Adrian Sanabria]
It was the Microsoft Vista of Bluetooth releases?
[Jon Bundy]
It was a different one, for sure. So up until that time, we're talking about one tech stack. Now we call it either Bluetooth Classic or Basic Rate Enhanced Data Rate, so BREDR. So either one of those two terms refers to that tech stack, which was, we'll say it's a little more power hungry and it's got a little bit of a different architecture than what comes next. So what comes next is Bluetooth 4.0 in 2010. That's Bluetooth Low Energy. It was originally called like Wybri by Nokia, but it's Bluetooth Low Energy.
You can kind of get a feel from the name of it, what its focus is on, low energy. So you noticed your battery drains faster, that Bluetooth Classic, while it was developed to be a low power protocol, Bluetooth Low Energy really took that to the next level. So the goal here is to turn the radio off as much as possible, whereas in Bluetooth Classic, they kind of had slotted communication and they'd always wake up and listen and go to sleep and wake up.
Bluetooth Low Energy is a lot more flexible about how often that radio sleeps and it can sleep as much as 99% of the time. That's a big change. So at this point in Bluetooth 4.0, we have two stacks. One is this classic one, it's a little more power hungry. It's better for streaming data, it has more bandwidth and throughput. Bluetooth Low Energy is designed to live off these coin cell batteries for a year or two.
Very low energy, just sipping power. Doesn't really stream data very well though. And then we've got Bluetooth 5 in 2016, they've improved the security a little bit at this point.
They added some speed enhancements so you get two megabit throughput. Bluetooth 5.2 was kind of cool, they added support for audio finally, that was in 2020. This is important because it means until 2020, all of your headsets are using Bluetooth Classic, which are power hungry and subject to some of those older vulnerabilities.
It's only in 2020 and beyond that we start to get something called LE Audio. And even then, it's more like 2022 before you start seeing that. And even now today, only your higher end models often have LE Audio and AuraCast, which is related.
Right now we're on Bluetooth 6.2, they've moved the cadence. They're trying to get one or two releases a year. Mostly small tweaks, bug fixes, really more focused on the BLE stack, but Bluetooth Classic was still getting updates in Bluetooth 5 to increase throughput and stability and whatnot.
So there are two parallel stacks that both exist, they both have different strengths. Bluetooth Classic has that compatibility also, if you have an old car, it doesn't have Bluetooth Low Energy. It means Bluetooth Classic or the newer spec, BLE, that's where they're adding all these cool new features like directional finding, ranging, kind of like you've heard about ultra wide bands.
You can use that now with digital keys and make sure you're within a meter or whatever to help prevent those relay attempts.
[Adrian Sanabria]
I think that was one of the things that the Apple just refreshed the AirTags. And I think one of those things was, you know, better ability to find it directionally or something like that.
[Jon Bundy]
That directional finding with Bluetooth is fairly recent, I haven't seen a lot of devices that use it, but it's available. I think for digital keys, that ranging capability is going to be interesting. Your locks, you walk up to your lock on your front door, how do you make sure it's not just relaying your phone signal?
You can range and say, oh, that's actually coming from within a meter or whatever.
[Adrian Sanabria]
One thing that I became aware of, and it didn't occur to me until I used Apple CarPlay, that often Bluetooth is combined with NFC and Wi-Fi and other wireless technologies to put together a whole workflow. Like if you're going to share a file with somebody on another Apple device, I think you can initiate with NFC, you can like tap the phones together, and then something happens over Bluetooth, and then they establish a Wi-Fi direct connection to actually transfer the file because you don't want to transfer, say you've got a 300 meg video file that you just took. You don't want to do that over Bluetooth.
That's going to take forever.
[Jon Bundy]
Yeah. That's a great point. And we saw that with our smart glasses a few episodes ago, where these use Bluetooth Low Energy to connect to their companion app.
They'll often use Bluetooth Classic for the audio streaming. And when you take a video or a picture and you want to get it to your phone, it'll set up a peer-to-peer Wi-Fi network. But you might be kind of talking to the app and controlling everything.
I've seen that in digital badge readers now recently too. They're Bluetooth enabled. Well, your phone application can either actually be the digital key, or as you approach it to your phone, maybe you're going to use NFC.
And by using Bluetooth, your phone can say, oh, I'm getting pretty close. Let me wake up that NFC app that I use. So it's like just a convenience thing, just to know where you are in indoor space and control and manage these other protocols and applications, like you said.
[Adrian Sanabria]
Yeah, it's kind of like magic too, combining all those things together to make it seem seamless. You know, whereas like in the past, if you used earlier versions of these things, it was very painful.
[Jon Bundy]
So remember, it's being developed back in 1999, and they used the 2.4 gigahertz industrial scientific and medical, the ISM, and that's kind of like wide open, anyone can use it. And in fact, Wi-Fi also landed there in 99. So maybe they didn't see that coming.
Maybe they did. But it turns out it's a busy spectrum. There's a lot of collisions.
So one of the different things about Bluetooth that makes it more difficult to sniff is it uses frequency hopping. So it doesn't stay on one channel very long, it moves to another one. Oh, like within a session, it'll hop frequencies.
Within every 625, I think it's microseconds, it's just hopping around very rapidly. Not only does it hop around in that 2.4 gigahertz band, which is about 80 megahertz wide, it uses two different sets of channels. Classic uses 79 channels spread across that 80 megahertz roughly, and BLE uses 40 channels.
And they just hop. One of the cool things BLE does is if there's collisions and interference, we'll just be like, you know what, delete that from my map for now. And they'll just update the maps.
We're hopping on these channels. Oh, cool. So they'll try to avoid that.
Why can't Wi-Fi be that smart? Wi-Fi is just like, we're more power. And they're kind of limited to Wi-Fi in that 80 megahertz space.
There's really only three channels that don't overlap. Channels 1, 6, and 11 that won't really overlap because the channels are 20 megahertz wide. If you're on channel 1, you go 10 megahertz one way, 10 megahertz the other way.
Well, shoot, that hits 2 and 3 pretty easy, right? So you go to 6, that'll cover 5 and 4. Great, you're not overlapping.
And what's cool about BLE is they use three channels to advertise, and they kind of poke in right in between the gaps between those Wi-Fi channels because they know that's the least likely to be interfered with. So that's just a little bit of the technical background on those stacks. So they're frequency hopping.
They're in that congested 2.4 gigahertz range. Hard to sniff because of that hopping. They're just going all over the place.
It's deterministic. There's algorithms, but there's channel maps involved. It's tough.
[Adrian Sanabria]
Yeah. One of the reasons Bluetooth is such a mystery to me is anybody who's done even the lowest level nerdy stuff setting up Wi-Fi has probably downloaded one of those apps where you look to see how busy some of those different channels are.
[Jon Bundy]
You talked about pairing mechanisms too, which is, well, we could do episodes on that alone. That is a complex topic. But let's at a high level talk about pairing methods.
Originally, you'd go and you'd open Bluetooth, you'd find your device and hit connect. Sometimes you'd enter a pin, but often you can't enter it.
[Adrian Sanabria]
And it's always zero, right?
[Jon Bundy]
Always zero, or it was printed on it. Four zeros. Right?
Yeah. But it's almost always zero, or it was printed on the device. And it wasn't secured very well when they exchanged it, but they didn't care.
Like who could sniff it? Right? That's always been the philosophy.
Oh, who's going to sniff this? Well, people are going to sniff it. And they found out that wasn't so secure.
Then they added secure simple pairing in 2.1, 2007. And they added different pairing methods. So not only could you just enter in a pin, but you could do out of band.
I don't know if that was added then. You could enter the pin. You could have just works where that's the one where you find it, hit connect, and it just does it.
You don't have to enter any pins or anything. Or did I say numeric comparison yet? That was kind of the new one.
It's where you show the same number on both devices. The user has to verify that they're correct. So you've got a little bit of a weak link there in the user that can be exploited later.
We'll talk about in the future on some other episodes on some of those vulnerabilities there. But those are the four methods.
[Adrian Sanabria]
And I imagine, I don't know if there's any requirements tied around, like when do you use what kind or if it's more at the vendor's choice? Is a consumer going to expect this to be more secure? Because it's all this security in one hand and friction in the other hand, right?
[Jon Bundy]
It's always a trade-off between convenience and security. And on one hand, Bluetooth is always trying to make it easier to use. And in turn, you lose a little bit of security when you do so.
And the spec has kind of evolved over time to these more secure algorithms and methods, the pairing methods to help address that.
[Adrian Sanabria]
But you're right. Like, I don't think there's any requirements for headphones to be at a certain tier of security.
[Jon Bundy]
Let's talk about connecting, pairing, and bonding and make sure we're clear on those. So connecting means you've got two Bluetooth devices. You want to form a connection and talk to each other.
So at one point, the device is discoverable. And then you want to connect. Now you're actually talking to it.
And it's like, OK, I'm done just being discovered. You and I, we're face-to-face. We're talking to each other now.
[Adrian Sanabria]
And I've noticed some are always discoverable and other ones have to be put into some kind of pairing mode.
[Jon Bundy]
Yeah. Some devices like to always advertise and be available. Sometimes you have to explicitly put them in pairing modes.
But at the very core concept, the connection means you connect. And we're going to show this in a demo later, just connecting to something. Pairing means now you've tried to read something that needs a higher security level than this unencrypted connection we've just made.
Pairing means we're going to go through one of those pairing methods and do some key exchanges and come up with some keys together so that we can encrypt. You're right. That sounds great.
But pairing is then thrown away after you disconnect. So what happens next is you bond. Bond means let's remember the key that we just independently derived, that secret that we came up with.
We're going to remember that. So the next time I see you, you don't have to enter a pin again. We'll just use that key again.
We'll recognize each other because we both have the same key. We'll use encryption when we need to use it. And along we go.
Connecting, which is just an unencrypted connection to a device so you can communicate. At some point, you might need higher security, which would lead to a pairing event that would just happen. And then you get the pop-up on your screen that says, is this the same number or enter this pin?
Or maybe it uses just works and it comes up with a key in the background you never even knew. Like you were saying before, you don't know. The phones aren't telling you if this is an encrypted connection or not, what version of Bluetooth it is.
It's really opaque. It's hidden from the user. And the last step is bonding.
Okay. So now you're saying, well, what are the requirements that what must a device use? Well, it's a little loosey goosey.
The Bluetooth SIG has deprecated specs, right? And they said, okay, anything like 4.0 and below. No, we're not going to certify anything on that.
You have to be like 4.1 or 4.2. So you have to.
[Adrian Sanabria]
Because there's vulnerabilities.
[Jon Bundy]
Those are broken or there's issues. Yeah, there's issues. They've updated the encryption.
They've updated the pairing methods. So I would suspect it's 4.2 and up because 4.2 is when Bluetooth Low Energy got secure connections, which is the enhanced security that we're still looking for for pairing. So if you want to get certified, which costs, I don't know, maybe 25K or so for your device, you have to comply with version 4.2 and up. But basically the SIG will want you to be fairly current, which means you would support the highest level of encryption and pairing mechanism. But devices don't always get certified. Are they allowed to claim that they're Bluetooth?
No. Do they do it anyways? Yes.
I've got some generic AI glasses that say they're Bluetooth 6.
[Adrian Sanabria]
Your TMU Bluetooth specials, right?
[Jon Bundy]
Yeah, I looked, sniffed it. So they say they're Bluetooth 6. I'm like, wow, that's pretty good.
You know, that only came out a year or two ago. I looked at them authenticating and they're using the older secure simple pairing from version 2.1 from 2007. They're not using the current stuff.
Now, the Bluetooth SIG wouldn't authenticate. They wouldn't certify that. But these glasses also don't claim to be certified Bluetooth devices as far as I can tell.
Cheaper devices might do whatever. Why do they do that? Well, they probably already have existing silicon that does what they need it to do.
Maybe they just changed it to say it's Bluetooth 6 compatible. Right? Maybe it isn't.
It's cheaper to not have to do the more expensive encryption.
[Adrian Sanabria]
And who's going to know? I mean, the average buyer is not going to know.
[Jon Bundy]
But I would say, you know, if you stick with your major brands, you're probably gonna be safer. If you see that Bluetooth symbol on there, then you know it's certified. That's probably a good thing to know.
But at the end of the day, are you going to know if it's using Bluetooth Classic or BLE? It might be hard to tell. Will you know if it's encrypted or not?
Might not say.
[Adrian Sanabria]
So something else I want to touch on before we get to our demo. We've mostly been talking about consumer devices, but you did bring up badges. Where else do we see Bluetooth, you know, outside of consumer devices like headphones and cars?
[Jon Bundy]
It's almost like, where don't you see it? I mean, the shipments are in the billions. I think they're projecting 7 billion devices shipped.
More than people.
[Adrian Sanabria]
Yeah.
[Jon Bundy]
More than people per year.
[Adrian Sanabria]
I personally own almost every device I have supports Bluetooth.
[Jon Bundy]
Doesn't it? Right? Like what doesn't support?
It's almost hard to not have Bluetooth nowadays. Medical devices, glucose monitors, pacemakers, smartwatches, badge readers. We've got HVAC controls and industrial controls.
I can't think of a device that wouldn't somehow get Bluetooth stuck into it. Some of the interesting use cases I've seen are these like ID cards that are used in the medical industry. So you can locate them.
I was not aware of those. Yeah. Or it's got a panic button, or if you need help, you can double tap it.
So you know where your staff is. You might know where your patients are. You can find the nearest doctor.
You can see if someone's about to enter a hazardous zone. So they'll use them for roll calls at factories and places that are hazardous industrial places. You might have muster points and you can automate the roll calls.
You can have them in your hard hats. Make sure someone's not about to enter a dangerous zone. You can see the package tracking.
I've seen FedEx stuff on the packages so they can track it as it goes through. They'll put, like you said before, they'll put cellular and GPS on it and Bluetooth and all the things so they can always see where it is.
[Adrian Sanabria]
Yeah. And these, like even the AirTags have little speakers on them, you know, so that if you lose them, you can tell from the phone, hey, you know, chirp or something like that. So I can find you.
[Jon Bundy]
Bluetooth, it's everywhere. It's kind of like Wi-Fi getting in the appliances, Bluetooth getting in the appliances. There's an app for everything.
And those apps almost always use Bluetooth for that connection because of the low power. Yeah. So let's get to the demo.
Yeah. So one of the things we talked about earlier was how easy it was to sniff Wi-Fi. You just need an adapter that you can put in promiscuous mode, or you could even sniff it from your adapter or your traffic.
And then it's Ethernet. I understand Ethernet. But with Bluetooth, it's a lot harder to sniff because of all this hopping.
One hand, you can try to capture the whole 80 megahertz of bandwidth, but that's a pretty expensive software defined radio or tool to get all that bandwidth. On the other hand, you can try to hop along with it, but it's really hard.
[Adrian Sanabria]
But you would need a bunch of different antennas, right? You've got antennas. To cover the whole range?
[Jon Bundy]
Single antenna, but you've got a couple approaches. Let's start with like cheap and go to expensive. And what I'm going to show here is like free.
One thing you can do is buy something that is like a Bluetooth dev kit, a dongle that does Bluetooth. And in fact, even cheaper than that, you could buy a Bluetooth dongle. Use it on Linux and dump out information at what's called the HCI level, the host controller interface.
Bluetooth is kind of split into two parts. There's the controller, which is the radio and handles all the encryption and transmitting. Then there's at the OS level or the host level that manages messages.
So you could sniff at the host controller interface level on Bluetooth for traffic that's coming to you. So you can sniff your own traffic using that. The cool thing about being at the HCI level is the decryption has already happened.
So we talked about encryption earlier. Over the air, it's encrypted, comes through the controller level. It's decrypted there, passed up to the host level.
So if you snag it as it goes through that host level, you can do that. So you can do that on Linux with just a regular old Bluetooth adapter. You can do it on Windows with their dev tool.
It's called Bluetooth Virtual Sniffer. On Android, you can go into developer mode and you can dump those HCI logs and you can even stream it live into Wireshark. Mac has a packet logger that can do a similar thing.
It's from Xcode. So you've got tools to get that HCI level. Now, what if you want to get over the air traffic?
That's the next thing. So you get these dev kits, maybe $10 to $50. My favorite one is an NRF52840 bundle.
It's about $12 now. You can do Bluetooth sniffing. You can connect.
It can do ZigBee and 802.15.4. It's a really flexible little thing. And what I can do with it is I can sniff directly over the air from the advertising channels into Wireshark. And I can even try to follow a connection.
And it's pretty good at doing that. Usually, the connections will encrypt themselves after a few seconds. And then you don't really have much luck unless you want to try to break the key, which is a whole other story.
Then you've got other little more fancier tools like a Cat Sniffer that has multiple radios, implements one of these dev kit stacks, and it can sniff things. It's under $200. The old UberTooth One, it's kind of legacy.
It's a little fiddly now. It doesn't work that well. I've got one of those somewhere in this office.
It kind of works. And then there's a do-it-yourself using something called ICE9 with maybe two SDR software-defined radios to get the whole 80 megahertz spectrum and decode it all at once. So you need some expensive— And what does that run?
Well, the software is open source, but the two SDRs will probably be a couple grand each, $3,000 to $10,000 each, depending on which ones you're using to get that full bandwidth. So now you're getting into the thousands of dollars. This is just for Bluetooth Low Energy.
I haven't talked about Bluetooth Classic. Bluetooth Classic is really more difficult. Now you've got specialized hardware like Ellis, Ellodyne, LaCroix, RF Creations, Spanalytics.
They have dedicated hardware that'll do that entire bandwidth and decode it all, and Bluetooth Classic at the same time with Bluetooth Low Energy. But now you're at $30,000, $40,000, $50,000 plus.
[Adrian Sanabria]
Wow.
[Jon Bundy]
So now let's show what I have on the phone. So this is a test phone I have, and I've got something called NRF Connect, same company, Nordic, that makes BLE chips. This is a BLE tool, and it's free.
[Adrian Sanabria]
They also make the NFC app I use, I believe.
[Jon Bundy]
Yeah, I wouldn't be surprised if they had NFC. All this did, I started it up, and it's just scanning. What is it scanning?
We talked about advertising channels before. Most Bluetooth Low Energy devices want to be found, so they advertise. So here I am.
Here's what I am. Here's what I can do.
[Adrian Sanabria]
Can you just install this app on any phone? You didn't have to put it into developer mode or jailbreak it or anything like that?
[Jon Bundy]
You can go to Google Play and download it. Now, Android, it has a little more capability than iOS, because it's on a low-level Bluetooth access. But this can scan.
Here I've got some things advertising. Right away, it pulled out the device name. So I've got a plug note pin somewhere.
I can't turn it off. It doesn't have an off button. I checked.
Well, you're going to turn it off eventually. I guarantee it, because that battery's not going to last. I've got a shield.
I've got a Find My device. So Google Find My. It could be this very phone itself.
Probably not. Who knows? And we talked about connecting, pairing, and bonding.
So look, I can connect to this thing. It's just sitting there advertising under my desk in a bag somewhere. And right away, it gives me the GATT server.
So we've got these generic attributes, G-A-T-T, GATT. Oh, OK. Right?
You can look through it. It's got some indication. You've got things like device name.
We've got these firmware versions. Before, I was able to read. I'm not sure what's going on.
Let me connect to it. So if I read this, I should get the same device name. Plug note pin.
[Adrian Sanabria]
Oh, cool. Appearance.
[Jon Bundy]
They just didn't use that feature. They didn't populate it. What else?
Firmware component. Look, I'm not authenticating. I'm just some random person that just connected to this thing.
Now I'm reading information right off of it. Let's see what the battery level is. It's at medium.
I can't wait till it gets to dead. Very precise. Yeah, high, medium, low is probably good.
Sort of OK. Yeah. And so you see all of this.
I'm not paired. I'm just connected. Not bonded.
[Adrian Sanabria]
Right? I didn't pair. So you can get all this without actually pairing to this.
I guess I don't see a strong reason to encrypt the battery level.
[Jon Bundy]
Some of these hopefully will be encrypted or hidden. You've got this battery service.
[Adrian Sanabria]
But yeah, then I also can't see a reason for that to be available without you connecting to it. I guess it depends on the type of device.
[Jon Bundy]
We'll talk about that in the future. There was a vulnerability in the Find My or the Fast Pair service that was available and abused. All this stuff, it's just there for you.
This is a free tool. The other thing it does is tracks RISD values. You can kind of use it to hunt for things by seeing where the signal's strongest.
You can filter down to just one of them. You can actually make your own advertisements. So I could just make something up and transmit it and see if I can see it.
And one thing I did is I pretended I was the Plod Notepad. So I just cloned it. You can go over here to Plod.
Instead of connecting, what if I wanted to go there somewhere and clone it?
[Adrian Sanabria]
Yeah.
[Jon Bundy]
And then you can come over here and you can advertise it. And it turns out the app was like, oh, hey, you're a Cloud Notepad. And then you connect.
Now you can see what the app is trying to send back and forth.
[Adrian Sanabria]
It just... Oh, for debugging and stuff like that.
[Jon Bundy]
Debugging, reverse engineering. It doesn't get too much into the details like Wireshark. This will give you just the advertisements, some of the raw data, the values.
You can look them up and assign numbers and things like that. And it does actually, if you just connect things to it, it'll say, hey, something connected. Would you like to debug it?
So we've got... These are some Chinese glasses. I don't even know how to turn all of these on.
[Adrian Sanabria]
You got some new ones recently, right?
[Jon Bundy]
Oh, I've got so many. So I think this just turned on. Oh, it connected automatically.
Because this is bonded to the phone. So the pair shared keys and then they connected. And now it's connected.
I've never looked at it. So this is a fun way to play around with Bluetooth Low Energy.
[Adrian Sanabria]
All right. I think that's a great foundation for then getting into the different vulnerabilities. So we're going to talk about that stuff in our, I think, next two episodes.
So thank you for that, Jon. That was, I think, as comprehensive as we could be in a reasonable amount of time.
[Jon Bundy]
I mean, it's a almost 4,000 page spec with dozens of profiles attached to it. It's pretty hard to cover. I still get lost.
I've been staring at it for years.
[Adrian Sanabria]
Yeah, I looked at it once and jaw dropping the amount of detail that it gets into in there. Because it does so many things. Like you have no idea how many things that they built Bluetooth for, you know, stuff that you will never use in a device.
[Jon Bundy]
The nice thing is that once you get familiar with the layout of the spec, it is fairly well organized. And it'll tell you the layout of the format of the packet and what it should look like and when it should be used and what's valid and what's not valid. But it might take a while to find it.
But once you found it, it really does help.
[Adrian Sanabria]
Awesome stuff. Well, Jon, thank you so much for joining me today. This was a really fun one.
I learned a lot about Bluetooth.
[Jon Bundy]
Great.
[Adrian Sanabria]
All right. You can check out Bastille.net forward slash blog for more information on wireless threats. Always adding stuff there.
And we are now publishing on Spotify and Apple podcasts. So you can check us out there if that's where you prefer to get your podcasts. Don't forget to leave a comment with what you'd like to see us discuss next.
And we'll see you next time.
[Anthony Jimenez]
Bye-bye. Thanks for listening. Thank you to our guests, Adrian Sanabria and Jon Bundy.
Don't forget to like, comment and subscribe to Carahcast. And be sure to listen to our other discussions. If you'd like more information on how Bastille can assist your organization, please visit www.Carahsoft.com or email us at bastille@Carahsoft.com.
Thanks again for listening and have a great day.