Listen to the full podcast here: https://www.carahsoft.com/podcast/s8-bastille-presents-3a-the-wireless-threat-series-podcast SUBSCRIBE to get the latest tech tips & tricks from industry leaders! Federal agencies and businesses face growing exposure to wireless threats as modern devices introduce new cybersecurity attack vectors that traditional security tools cannot detect or control. To mitigate consumer and enterprise risks associated with IoT devices in no-phone zones, Bastille Networks’ wireless intrusion detection system identifies and quarantines unauthorized emitters and behavioral abnormalities before data breaches can occur. Explore real-world examples of how Bastille’s IoT security solution proactively defends mission-critical environments from covert emissions, unapproved device behavior and Wi-Fi deauthentication attacks.
Anthony Jimenez
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team.
On behalf of Bastille, we'd like to welcome you to today's podcast. We'll be joined by Bluetooth experts from the Defenders Initiative and Bastille as we look at Bluetooth hacking techniques and the security measures needed to defend against them. We'll talk about things like keystroke injection via compromised keyboards, surveillance through headphone microphones, and whisper pair vulnerabilities.
We'll end with what this means for individuals and enterprises alike. Hint, enterprises tend to have a lot more to lose. This is part two of a two-part series focused on Bluetooth.
Check out part one focused on Bluetooth vulnerabilities.
Adrian Sanabria
Welcome to the Wireless Threat Podcast Series sponsored by Bastille Networks. I'm Adrian Sanabria and joining me is Jon Bundy. We are going to jump into the hacking side of things.
Last episode, we talked about vulnerabilities. Episode before that, we talked about the basics of how Bluetooth works. So if you haven't seen those, be sure to go back and check those out because we're going to be building on top of the things we talked about for those episodes.
If you hear some acronyms you don't understand or phrases or even vulnerabilities, that's where you're going to find the source of those. In this podcast series, we explore a new class of device or threat in each episode. In this case, this is the third part of a three-part on Bluetooth.
We help you understand the threat, walk through some real-life scenarios, and even do the occasional live demo. Ultimately, the goal is to answer the question, should you be worried about this? If you have any devices, threats, or attack you want us to dissect on this podcast, please let us know in the comments.
Jon, let's jump into it. Where we left it last episode, we were talking about a lot of different vulnerabilities that could be hit in different ways. And starting out, there were issues in the spec or people didn't implement the spec correctly and then kind of got into manufacturer, vendor, chipset vendor-specific vulnerabilities that would affect whatever device you put those chips in.
Jon Bundy
Yeah, that's a good summary. It started off kind of the Wild West, where the spec was developed, but security wasn't really there, and people started abusing that, too. Then they toughened up the security in the spec, but there were flaws in the spec, flaws in the implementations.
People used that to now, these devices are so complex, vendors are putting new layers on top, and those vendor-specific layers are being attacked, whether it's a debug engine that was left there, but hidden, or a convenience feature that was added that didn't do a fundamental security check. These are all starting to come out now, so there's all sorts of different flavors of vulnerabilities out there.
Adrian Sanabria
So in this episode, we're going to put on our hacker hats. We're going to talk about like, what can you actually do with some of these vulnerabilities? And before we jump into the details here, are there some situations where we've actually seen widespread Bluetooth hacking or any big incidents we know of, aside from people being jerks at DEF CON and BLE spamming people or rebooting iPhones?
Jon Bundy
Yeah, I think it's mostly been the nuisance things that we've, like you alluded to, we talked about last time about Bluetooth spam, where you can send out these messages that cause pop-ups that are an annoyance. That was easy. Back in the day, similar things with pushing your contact information and whatnot.
But I haven't seen too much about these actually being used. I mean, the impact of some of these is pretty serious. If you get control of the keyboard, you can do keystroke injection, that can be bad.
If you get control of headphones, you can maybe listen in using the microphone, that could be compromising. I just don't see it as much in the news about these actually being implemented, widespread and used.
Adrian Sanabria
Yeah.
Jon Bundy
Have you seen anything that you remember?
Adrian Sanabria
I haven't really. It'd be interesting to talk to some pen testers. I think when we get into the logistics of Bluetooth hacking, I think that explains some of the reason why.
I remember when the, I think it was Armist that announced the seven Bluetooth vulnerabilities all together, the Blueborn vulnerabilities. And the headline was like, billions of devices vulnerable. But yeah, it's not like these firewalls on the internet that have a vulnerability or SSL VPNs or something like that, where every attacker in the world has access to them because everyone's connected to the internet.
Bluetooth, you need proximity, right?
Jon Bundy
Yeah. Generally, you have to be pretty close in order to interact with that device.
Adrian Sanabria
Another thing that occurred to me is that for my own specific examples, I have some really old Bluetooth devices. My 2011 BMW is a very old Bluetooth device that has not been patched. That is probably vulnerable to stuff.
I don't know if you can listen in on my phone calls when I'm in my car, but I would not be surprised if you could, if that's something that you could still pull off.
Jon Bundy
Yeah, if you keep moving and you probably get away from them, unless they're in your trunk.
Adrian Sanabria
Right.
Jon Bundy
If you see another car next to you.
Adrian Sanabria
Right. On the highway, you could have another car next to you for an hour, right? You know, and that wouldn't be too abnormal.
So yeah, the proximity, let's talk about that a little bit. Most of the devices will tell you 33 feet or 10 meters, but you can go way further than that, right?
Jon Bundy
Yeah, sure. The spec was always, you know, like 10 meters and then 100 meters. Bluetooth 5 said, well, you can use more power in the long range physical layer adaptation, so you could get longer range on purpose.
But without any of that, people have been using directional antennas to get more range, up to kilometers sometimes. But physics really limits us here. You've got a low powered battery powered device with the small antenna.
There's really only so far that signal is going to go no matter what antenna you have. Now, having said that, these off the shelf Bluetooth chips with their little antennas, there's a satellite network called Hubble that is receiving signals from orbit. It's off the shelf Bluetooth hardware, but they did tweak the software stack.
The satellite has to be in the perfect place and the device has to know exactly when it's going to be in the right spot. They have to deal with timing and things, but it still works. So that's a pretty extreme range.
Adrian Sanabria
Establish a Bluetooth connection directly to a satellite. That's wild.
Jon Bundy
See, that's misleading and that's part of the terminology we got to before, because it's not a connection in my mind because it's one way of communication. It's only one way. The device on Earth isn't receiving anything from the satellite.
It can only broadcast to the satellite so far. Things might change. Yeah.
It's interesting concept. I mean, who to thunk it? Bluetooth from two and a half decades ago meant to replace the headset with your phone.
The wire between your headset and your phone has evolved to this now where same battery powered tiny device with an off the shelf Bluetooth stack that's used for normal headphones, keyboards, mice, whatever, can now have a different software and now its signal can be observed in space. So don't count on that 10 meters being the limit, but there's still limits.
Adrian Sanabria
So if you really wanted to target, say a hospital or an office from a building across the street and you got on the same floor and you're right across the street, you could probably point a high powered antenna at a room and get through the glass and be able to talk to that device, I would imagine.
Jon Bundy
Very likely. Or in the parking lot or the floor above or below or next in the coffee shop where there's a will, there's a way. Yeah.
So I wouldn't count on that. So 10 meters protecting you.
Adrian Sanabria
And then what kind of hardware do I need to pull off a Bluetooth attack? Can I just use a laptop and a Bluetooth chips chipset in it? Or is it like Wi-Fi hacking where you probably need a specialized piece of hardware?
Jon Bundy
Yeah, it's really interesting. It's not as, I don't want to say easy as Wi-Fi, Wi-Fi, if you get the right USB Wi-Fi dongle that can be put into monitor mode and can inject traffic, you can pull off pretty much all of the attacks. That's all you need.
You know, $60 dongle, probably a Linux, something where you can have that low level control of the Wi-Fi stack. Bluetooth's a little different. There's just not that all in one device.
There's lots of devices that can be used for different parts of the attacks. So if you talk about reconnaissance right up front, you could use your phone and just kind of see what's out there. There's apps on your phone that'll do it.
You can use your computer's internal built-in Bluetooth. You just turn it on and say connect to device and it's going to show you what's out there. That's recon.
What goes with what. So I knew reconnaissance. I got the first one.
That was an easy one, right?
Adrian Sanabria
Yeah. I think talking about some specific attacks, one thing I was kind of curious about, there was the nearest neighbor attack, which was, I forget the name of the company that discovered it, but they were doing incident response and they found that it was allegedly a Russian actor wanted to get into this company in DC and they had working credentials, but they couldn't get MFA and whatever that company had exposed to the internet was asking for MFA. And we don't know what the attackers were thinking, but I imagine somebody thought, hey, I bet the wireless network is connected to single sign on and doesn't have MFA because that would be very inconvenient or maybe wifi access point specs don't support it well. And so they pull up Yandex maps, I imagine, cause they're in Russia.
They're not probably not using Google maps. Look at the businesses that are around this company. They're trying to hack like physically close to it.
Like we were just talking here on the same floor in the building across the street or maybe business of floor above or floor below. And they hack those companies and they find a PC that's plugged in via cat five and use a spare wireless adapter to then sure enough, credentials work. No MFA.
I'm wondering if maybe that would be that same attack would be plausible with Bluetooth as well. I don't see why it wouldn't.
Jon Bundy
Yeah. Again, it depends on the attacks, but getting back to basic recon, sure. Then you could probably look at what's out there just by using the functionality of any old Bluetooth adapter where it gets a little more challenging as well.
What if you want to then start connecting to things? Most of us just have a way to use the adapter and connect their phone applications. You can use, we showed one earlier called the NRF connect on your phone.
You can use this to scan for devices, pick one out and connect to it. That's for Bluetooth low energy only, but there's other tools that will work with Bluetooth classic Linux is pretty much a go-to for me. Because you can get those low level Bluetooth messages very easily.
You get an HCI log, the host controller interface log to see what's out there, understand what the devices do. You can manually connect to devices and manually query their databases and do the profiling and discovery with that, with just a regular old Bluetooth dongle.
Adrian Sanabria
Maybe just that recon can tell you interesting things. Just with the recon, how much can I see, John? Can I see that it's an insulin pump, that it's gym equipment?
Can I tell what class or type of device it is without actually doing a full connect?
Jon Bundy
You might not even need to connect most of the time to see it. A lot of devices in Bluetooth Low Energy, they advertise, they say what they are, at least their name or some identifying feature so that the application on the phone that's meant to work with them can find it and display it to the user. They want to filter out all the noise because if we just look now at all the advertisements around us, we've probably got dozens of devices at any time that could be advertising.
How do I know which one to pair with? Something in there has to tell you, and it tells the app. Sometimes they use a unique identifier that only the vendor knows, but you can figure it out.
Sometimes they use a unique identifier that's been assigned to them that says, hey, I'm a heart rate monitor, I'm an insulin pump, I'm on a keyboard. So you do get a lot of information without even connecting, just by listening. And then if you connect, yes, depending on the security level, some attributes of the device will be protected.
They'll require you to pair and then start encryption before you're allowed to read them. But a lot of attributes won't be encrypted. You can just read them.
What's the device name? What's the battery level? Hey, it's got a battery.
Is there a left and a right involved? Oh, it's headphones. What's your class of device?
Things like that can just be exposed in red without any encryption or not too much work.
Adrian Sanabria
Yeah, it makes sense. How about the devices that they're connected to? I imagine the host devices, maybe you can identify some of those as well with Bluetooth.
Jon Bundy
Yeah. Not only... So once you open up your Bluetooth settings, like on Windows, if you open it up, it says, hey, if you ever notice, it says, I'm discoverable now.
What does that mean? It's broadcasting information right now. So anyone that's listening, it'll usually be the computer name.
So you'll see the name, which often will tell you something about what it is. Is it a server? Is it a desktop?
Adrian Sanabria
Right.
Jon Bundy
Is it a printer? Is it a laptop? You can figure that out.
Adrian Sanabria
Naming conventions.
Jon Bundy
Like Microsoft, they use the connected device protocol, CDP, Xbox, Android use it, but it might be on. You might not even know it. And some of the devices around me use it.
And so I can see that there's a Windows 10 class device sending this message because it says that I'm a laptop, I'm a Windows 10, or I'm an Xbox, I'm an Android, and that's just being sent, again, without even connecting or querying. So yeah, you can definitely find out a lot about the devices just by listening, just by connecting and doing a little query.
Adrian Sanabria
I always find it helpful when I see somebody's got a hotspot available or something like that. It's their name and iPhone.
Jon Bundy
Right.
Adrian Sanabria
So now I can say their name and they're going to look up at me.
Jon Bundy
Not only that, but that's a good point. So that's similar. So that's Wi-Fi.
But in Bluetooth, the same thing's going on. So what you saw is just the SSID that's broadcast. But if you look at the other information in the beacon, which is, we'll say, Bluetooth advertisement is the equivalent.
If you look at the beacon, there'll be all sorts of information saying that, hey, I've got some Qualcomm to Broadcom vendor-specific information. Now you know the chipset, which allows you to profile and say, well, what vulnerabilities are there for that chipset that we might know of, right? It'll also say, hey, I'm using a peer-to-peer protocol.
So, okay, we kind of knew that already, that it was a hotspot, but it might also include things like a device name, a device class, might say it's a telephone or a smartphone. There's other things buried in that beacon. Same way in the BLE advertisements, there's information just exposed there.
All you have to do is look up these numbers and say, oh, it's a keyboard or, you know, I know from the OUI, or you can tell if it's a flipper based on what color it is, because they use a different value depending on the color. So you can just discover things just by listening very easily, but that's not hacking yet.
Adrian Sanabria
Well, the reason I ask is that's actually, I don't know how common this is for pen testers, but back in the day, when I started working for a pen testing company, we didn't have a company methodology, so I had to come up with my own. And the way I would start off every engagement is by just doing a packet capture on the network and doing some wireless scans, because all that stuff will tell you what manufacturer models of devices that you're working with, that you're dealing with. So you can start to form an idea of how you're going to go about the engagement now that you know what you've got there.
Yeah. I'm looking at this Microsoft CDP and like, there's even a number specifically for Surface Hub to tell you that it's a Surface Hub. Only to Microsoft, it's important, right?
Yeah.
Jon Bundy
Nobody else. But yeah, they have specific numbers and that's just broadcast clear text. You just described the reconnaissance and profiling stage and on Bluetooth, it's similar.
You just need a dongle, a phone app. For Bluetooth Classic, it is a little more difficult, but you can still use Linux and a dual mode dongle, one that supports Bluetooth Classic and DLE, which most of them will. And you can do a discovery and it'll go out and it'll try to find all the devices that are in pairing mode or discoverable and query them.
Then there's tools that you can just get that will then connect to each one, unencrypted, don't pair, query them as much as they can until the device says, whoa, you can't ask me that. We need to pair and be secure and then kind of lose the connection. And there's even a cool tool.
I saw a DEF CON a year or two ago and he said, hey, Apple does this. You hit an attribute and then it says you need encryption and it kicks you off. So what I do is I connect again, then I skip that one and continue on and try to get them all.
You can build up this information just with simple tools. You can then do a packet capture, like you said, with, you know, you step it up to $10, maybe $12, you get something like this NRF52840 dongle from Nordic. It's only Bluetooth Low Energy, but they have a Wireshark dissector.
You can plug it in to any OS, Windows, Mac, Linux, and they have dissectors and they'll dissect Bluetooth Low Energy advertisements and they'll even try to follow a connection. So if you watch the device, you say, follow it. When it connects, it'll start following.
Why is that important? If you remember back from the first episode, Bluetooth is a frequency copying protocol, right? So it'll change channels every fraction of a millisecond.
It'll hop around to a channel. So you can't just listen like Wi-Fi, you pick channel one and you listen, there it is. It's not going anywhere.
But with Bluetooth, once that connection starts, you have to follow them as they hop around. That's a challenge, which makes it a little harder to do some reconnaissance and discovery because now they've moved from that advertising and discoverable phase to a connected phase where it's just one device talking to another and they hop in, you know, synchronized hopping to different channels and exchange information. Usually it's going to be encrypted, but not always.
So if it's not encrypted, wouldn't it be nice to follow it and listen in? You'll see this in, if you ever go to a BLE hacking seminar, this is invariably what they start with. Some unencrypted device.
So I've got a Bluetooth light bulb, it's not very expensive, but it doesn't use any encryption. To hack it, all I have to do is I connect to it instead of the app and I send the right command to the right service, to the right attribute, and it turns on, it changes color. So how do you get that?
You sniff it. If you can follow the connection and sniff it, you can reverse engineer all of those commands. Someone's probably done it for you already and put it in a GitHub repository, but if it's a new device, it's not using encryption.
You'll want to be able to follow along and do that packet capture you mentioned. So you can reverse engineer it and then you can send it. Or the next step is, well, let's say you want to hijack that connection.
There's a brilliant hack and now we start to get into other hardware, but they started using micro bits. A little micro bit, maybe they're $15, $20.
Adrian Sanabria
A hobby computer for students?
Jon Bundy
It's a single chip. The BBC developed it and they give it away to UK like seventh grade students so they can learn about computing. And it uses a graphical programming language and it's a clever little thing, but it uses a Nordic chip.
But you can run a MicroPython on it and get kind of raw access to the radio. And so someone said, Hey, what if we could use these? And we just listened to a channel.
And every time the connection that I care about goes by, just take some data points. And if we use three at a time or more, you just watch. And we see whenever these devices, as they're hopping, whenever they go by, there's an algorithm that controls the hopping sequence.
So if you have enough data, you can figure out the algorithm used in the channel map. And then once you know that, you can tell another device, Hey, follow along that connection. And then there's an attack.
So now it uses another device, another Nordic chip, I think. And that one will try to abuse the spec and it'll jump in. So here's a hack.
So let's take over this unencrypted connection. I'll pretend to be the phone in this case, so I can control the light bulb. The way Bluetooth Low Energy works is that light bulb wants to sleep as much as possible to have the low energy.
So it'll wake up on a schedule just before the phone is about to transmit. And how much before? Well, the spec defines it.
It says, based on how long you waited and how bad your clock is, which they exchange information, you're going to have to wake up this much early. So the attack says, Hey, I can start transmitting that much early and try to beat the phone. And what'll happen is the light bulb will see the early transmission.
Hey, okay. And what you do is you say, Hey, let's change our hopping sequence real quick. Go over to this channel.
And you just push it away and then you take over and then the phone keeps trying to connect and eventually it drops. But you can hijack it. I've successfully done that, but it's kind of complicated.
You're running three little micro bits trying to reverse engineer a hopping sequence and then using a second device to try to beat the timing.
Adrian Sanabria
Like a race condition. I guess you would consider that a race condition.
Jon Bundy
Yeah. But you're just using the spec. There's no vulnerability.
That's just how the spec's designed. You're abusing the spec. You don't have a really good clock.
Yeah. If you don't have a really good clock, you just have to put that little jitter in there and you just abuse it. You beat that window and then you're in.
So I've got that to work. It's pretty complicated. It's fragile, but that's another hack.
Now you're using a couple of these $10 devices and maybe another $50 dongle and some Python and Linux and you can kind of try to hijack a connection.
Adrian Sanabria
So moving on to what you can do with these hacks, what could be a concern for a business that they have in the, in their environment and based on everything we're talking about, I think injecting keystrokes and surveillance are two things I'm going to be looking for because a lot of these devices we're talking about, even people who know better don't patch them. You know, so even though the patches have been out for years, these things are potentially still vulnerable to it. And injecting keystrokes, I can do a lot there.
I can get control of a PC. Surveillance, I can turn on a microphone. I can record what's being said.
I've seen that in both headphones and cars. I've seen both have that vulnerability. Those would be the two things I think I would be looking for.
I wouldn't be looking for crashing any devices. I wouldn't be looking for annoying people like running spam, BLE spam or anything like that. Injecting keystrokes would be super useful.
From outside the building, I could potentially get malware on a system, get remote control of a system and then surveillance, like sensitive business conversations, M&A plans, like if you could turn on a microphone in a conference room or on somebody's headphones.
Jon Bundy
Yeah. And I'd say those are probably two big classes. And under surveillance, I'll add pattern of life in there as concerns, right?
So let's talk about those. So I just talked about a hack that used four devices and precise timing. How easy is it?
You know, that's a little tough, but there've been some recent vulnerabilities that have proof of concept code. Before, someone would fuzz a stack, so they'd send all sorts of random inputs to a stack until it crashed and like, aha, vulnerability, and usually it was a crash. But if you're lucky- Crashes are much easier to find.
Yeah. Okay. Annoying.
Reset the device. Reboot it. But if you got lucky, then you'd get some buffer overflow.
You'd say, oh, aha, aha. Now I could perhaps send some remote code execution. Okay.
But now we're talking about sending something that's going to run on that Bluetooth stack, some assembly code probably to get it. And they don't include that part. Like, I got it in here.
I made this work. And it's an exercise for the reader now to like, yeah, that's probably not going to happen.
Adrian Sanabria
Remote code execution on AirPods? What am I going to do?
Jon Bundy
It was probably Bluetooth classic speakers and things like that. Remote code execution. But yeah, then, okay, great.
So remote code on a Bluetooth speaker, best case, what do you get? You get the microphone.
Adrian Sanabria
Yeah. Maybe there's contact. If there's a microphone, not all Bluetooth speakers.
Jon Bundy
Yeah. If they do calls. A lot of them do calls now, right?
Right. To speaker phones. So you might get a microphone if you're lucky.
The best case use is when you've got a loud party next door and you want to shut it down. Yeah. So, okay.
And there's no proof of concept for it. So you're like, well, it's great. It's there.
But I can't really take advantage of that as an attacker. Yeah. Lately, there's been some more code, proof of concept code, that actually is full end to end.
And it falls right in those two categories you talked about. And that's where I think you should be concerned. Really consider it.
And let's talk about surveillance, like with your headphones. There's something that came out late last year, early this year, called WhisperPair. And they just dropped the actual proof of concept code a few weeks ago.
And what it does is it exploits the Google FastPair protocol. And some vendors forgot to implement a check. And it allows the protocol to go through its normal process.
And the attacker can then forcibly pair to an active headset and be in control and be connected. Once they're paired, they can use the microphone and listen. So that's surveillance.
It works. And not only does it work, I downloaded it and tested the proof of concept on the same pair of headphones that you have that I downgraded because I did patch them. But I downgraded them back to the vulnerable version from early last year.
And it worked. So now, as an attacker, if you're using those, I could probably sit outside and maybe connect. Maybe you'll notice that it does a little beep or something.
Maybe you don't. Because Bluetooth devices have a lot of idiosyncrasies. And they're beeping and they stop working for no reason.
Adrian Sanabria
Yeah, I'd probably ignore that.
Jon Bundy
Mostly, you shrug your shoulders and go, that's Bluetooth being Bluetooth again. So that's sad. But it's the truth of where we are.
We've been conditioned over time that Bluetooth devices just stop working. And then you forget them.
Adrian Sanabria
It's not like somebody picking up another phone at the other end of the house. And you're going to hear them breathing or something like that.
Jon Bundy
Yeah. But in this case, you might be able to do surveillance. Especially if someone took their headphones off and they're having a talk or a meeting.
You don't turn them off. You just take them off. You put them down.
Or you put them on the mic. Microphone's right there.
Adrian Sanabria
Why wouldn't we be casual about something like that? Yeah. I mean, it's not a hack that you see all the time.
But it's interesting that it's possible on so many devices. I'm not sure that we would hear about these hacks that are successful. Because that's a data breach, right?
It's not the kind of thing that gets publicized.
Jon Bundy
It's not ransomware. It's not $10 million. This is the sneaky IP theft and trade secrets and general reconnaissance that could be used as part of maybe a broader attack.
Or gathering information that's useful by itself. But it's still there. But you're right.
They don't talk about it. The vendors don't mention it. I think they just think they keep quiet and nobody notices.
Which unfortunately seems to be true. And if they patch it, you don't know. You have to do a lot of work to figure out.
First of all, is the device vulnerable? Second of all, does the vendor even know? And third, did they patch it?
It's hard to tell. You didn't know those were vulnerable, did you? Sony didn't send you an email.
Adrian Sanabria
No, I did not. And there are probably more Bluetooth devices in active use than there are people on the planet at this point.
Jon Bundy
Yeah, 7 billion devices in 2025 or something.
Adrian Sanabria
When we think Mythos and Patchpocalypse or Vonpocalypse, we're not thinking headphones and cars and insulin pumps and stuff like that. We're thinking laptops and things like that.
Jon Bundy
Servers, your routers, your network infrastructure, your firewalls, your websites. So I mentioned pattern of life. That's just another form of surveillance.
And so what was big there? Stalking with air tags. That always happens.
New technology comes out and it's great. And then it can be used for bad. So right away, you get these air tags.
Wow, this is great. You can find something you lost. And then shortly after that, it turned into stalking.
So there's these unintended consequences always as new technology comes out. So as that came out, what did Apple do? They started building anti-stalking technology into them, but it's still possible to abuse those.
Yeah. Got a tile here. They might have changed, but for a long time, they weren't even rotating their Bluetooth device address.
Adrian Sanabria
I stopped using them and I went to Apple AirTags because I read an article where they're like, tile is a stalker's dream. And I was like, nope.
Jon Bundy
Yeah.
Adrian Sanabria
That made me sad to hear. And it was one of those where they said they reported it and tile was like, eh. By design.
Jon Bundy
Yeah. But yeah, I noticed that before. They don't rotate their address.
So once you know the address, there's your unique identifier. You could just always see where someone is. But you don't need to have a tracker to get this pattern of life.
Is your phone advertising something? Is your laptop advertising something? Are your headphones broadcasting right now and saying that they're XM4s?
Did you give them a custom name that makes them unique?
Adrian Sanabria
And then the other issue is I get notifications all the time on my iPhone. Hey, there's some headphones following you. It's my partner's headphones.
They ignore it. Yeah. I get so used to that.
If somebody is stalking me, again, like the beep in the headphones, you're just going to shrug it off.
Jon Bundy
It's just recording this again. It's too much. So yeah, this pattern of life thing is huge and somewhat related to that.
We keep seeing these breaches through Strava. I think we talked about this a while ago. So you've got a fitness watch and then you upload your stuff to Strava.
Information gets out and you get this pattern of life and that gives attackers information about your facility, about your life, about normal operating hours, about who's there, who's not there. The Bluetooth pattern of life is sort of similar. If you're close enough, you can at least see are the normal people in, are the normal people out?
Is there a surge for something? What's a good time to go do physical pen testing? A lot can be given up just by those advertisements.
And then the second one you talked about was injecting keystrokes. And it used to be, oh, it's so hard to do the Bluetooth hack. Well, there have been a couple now where it's getting easier and easier.
There's one called I am Keyboard, which was patched at the end of 2023, beginning of 2024, where you would just connect to the computer that the keyboard was connected to, the real keyboard. So it's the attacker. You say, hey, I'm the keyboard.
I'm connecting again. And we don't need encryption. Don't worry about it.
And the computer's like, oh yeah, we were connecting before. And you just forgot to do the authentication check in encryption. And boom, keystroke injection.
It got patched. But then there's another one recent called Steel Tooth.
Adrian Sanabria
When you say it got patched, somebody released a patch.
Jon Bundy
Yeah, that's true. It doesn't mean it got patched. The good news, I think, is it could be patched on the computer side.
So as we know, the computers, the OSes, are more likely to get patched. So Android, Apple, Microsoft will patch it. They will generally patch it.
Now, did your 10-year-old Bluetooth keyboard get a patch? No. But that wasn't really the problem.
The problem was the computer in this case. And maybe the fact that you're using a 10-year-old keyboard helped it because the computer had to use these older protocols, less secure protocols. Now, if you used a newer BLE keyboard, Bluetooth Low Energy keyboard, maybe it's not vulnerable to that same attack.
This relied more on Bluetooth Classic channels. So a good reason to update your old keyboard so that you don't have this insecure channel available. And then Steel Tooth and Break Tooth came out last year.
So keyboards, they want to save their batteries so they'll go to sleep and they'll tell the computer, hey, I'm going to sleep. The computer will be like, okay, I'll wait for you. The attacker says, hey, I'm the keyboard, I'm back.
And they can like overwrite the link key, I think. So they changed the key and the computer was okay with that. And you just became the device.
And then when the keyboard wakes up, you can do a similar thing and say, oh yeah, I'm the computer that you used to be connected to. Here, let's just talk and you have a machine in the middle position. Either one's bad.
I mean, if you can inject keystrokes, that's just bad. And so there's two attacks there where there's proof of concept code for them, the IAM keyboard and then Steel Tooth, Break Tooth. And I've gotten both of those to work on various keyboards.
So I know it's possible. Those are the things I think that we should be concerned about. Maybe not the Bluetooth spam as much.
Adrian Sanabria
You have some, you know, be aware that it's a thing, how it happens, how you would track somebody down doing it.
Jon Bundy
Or it could be someone in the parking lot and you just want to know like, hey, is this just a prankster or is this a targeted thing? Is it going to escalate? Catching things early is good.
Adrian Sanabria
So there are some attacks that don't make sense. Like it's technically possible to catch and copy data over Bluetooth. If you're doing keystroke injection, yeah, no problem.
That amount of data is fine. But if you think you're going to exfiltrate a company's data over Bluetooth, that's not the play. You want a different plan.
Jon Bundy
Yeah. If you remember back, we talked about the data rates and Bluetooth Low Energy was one megabit per second. One megabit per second.
They bumped it up to two and three megabit per second. That's your streaming protocol. Three megabits isn't going to get you a lot.
It can get you a text file maybe. What you really want to use that for is download some sort of a backdoor remote codec malware or something that you can then execute on the target. What are you going to execute on headphones or a speaker?
Not much. But if you can somehow get to the computer, then we've got a problem.
Adrian Sanabria
One other thing I wanted to mention is maybe it's worth thinking about getting a device that will automatically patch itself. Right? Because those patches aren't just going to be for security things.
They may improve how the product functions. Like fixing bugs in the product. My car definitely has some weird bugs where every now and then I get these weird audio artifacts and I have to de-pair from Bluetooth.
Jon Bundy
Do you check around for any suspicious antennas at the time?
Adrian Sanabria
It's pretty consistent. It happens like once a month. But yeah, Apple devices are really good about it.
Apple's going to automatically update the firmware on your wireless trackpad, your wireless keyboard, your AirPods without even telling you it's doing it. That's kind of nice to not have to think about applying a patch. The main reason my Sonys aren't patched is I just haven't connected them to a phone in forever.
If I do connect them, I connect them to a laptop and I don't have an app on there that would update them. If I was connecting them to a phone, I'm sure the app would say, hey, these need to be updated. So that's something you need to keep in mind maybe.
Jon Bundy
The problem is when you go to buy your Bluetooth headphones, do you check on the back of the box to see where frequency of updates is listed?
Adrian Sanabria
I've never seen that in the back of a box.
Jon Bundy
What encryption are they using? Who knows? How often are they updated?
How do you update them? It doesn't tell you. That is just not something anyone ever talks about.
No. You're really at the mercy of the vendors. I guess the way to mitigate it is to stick with vendors that you know and trust that have a history of patching their devices.
But even so, at some point, the business is going to make a decision and say, it's just not worth patching that five-year-old device anymore. We've moved on. Even if we could, the OEM might be gone.
Adrian Sanabria
And it sounds like I'm talking up Apple a lot, but that's just something they've taken advantage of because of vertical integration, right? They make a lot of their own chips. You plug a Mac keyboard into a Mac, they can take advantage of that and they can patch it themselves.
Like on a PC, sometimes even the motherboard manufacturer is not the same as the system manufacturer. And you're going to go to a website, look for BIOS updates. Is this the right BIOS for my system?
And you're going to download a Windows executable. You can't update it in Linux.
Jon Bundy
Yeah, it's crazy. And the phones are much better about keeping current BIOS updates and the OS's are pretty good, but it's the connected devices where you really have to think about it. Do you want to get this no-name $10 Bluetooth keyboard?
Well, guess what? You probably have some old vulnerabilities in there. It's a cost.
It's never going to be patched or if they even care.
Adrian Sanabria
Yeah. So let's jump into that. So first of all, in terms of all the other devices, what would you give Bluetooth devices in general or Bluetooth in general as a threat rating from a risk perspective?
How worried should we be about Bluetooth?
Jon Bundy
From a personal perspective, what threat is there? I've got all sorts of Bluetooth things. Am I super concerned?
Probably not too much. I definitely want to make sure I do keep those headphones patched, but as far as, you know, using my headphones day to day and my keyboard, not terribly concerned. I mean, I'm here in my neighborhood and not at a coffee shop or anything.
But having said that, there are things you do want to do. You know, my daughter came home and said, hey, you know, your laptop is just advertising its name all the time. We should turn that off.
And I'm like, oh, that's interesting. I see a new laptop.
Adrian Sanabria
Like for AirDrop or something like that? Yeah.
Jon Bundy
No, it's just, it's a Windows laptop and it's just broadcasting its name. It's convenient to make it easy for something down the road. Let's make sure we turn that off because as you go to classes and you're walking around with your laptop, it's showing up in all these places.
Adrian Sanabria
if you're not even using Bluetooth, it's just eating up energy, right? You know, especially if it's a laptop, like why not just disable Bluetooth?
Jon Bundy
So that's a good point. Right? If you're not using it, disable it.
But I don't know about you, but I've got a keyboard. I see three mice.
Adrian Sanabria
I cannot disable it.
Jon Bundy
Three headphones, six-inch glasses. Same. You can't disable it.
But yeah, if you're not using it, turn it off. It might be advertising. You could be tracked by it.
It might be an attack surface. But again, on the personal side, how concerned am I? Not too much.
Now on the business side, how concerned am I? A little bit more. I'd say you could exploit some things with microphones.
There's proof now that they're vulnerable and they will be vulnerable again in the future because of these convenient features, these vendor add-ons, the changes in the specs and profiles. There is going to be another vulnerability. Someone's going to leave a diagnostic backdoor open again.
You can hijack things. You can get access to the microphone. Keyboards have proven to be susceptible to being spoofed and keyboard injection over and over.
Am I concerned about that? Yeah. I would absolutely recommend that if you have old keyboards, upgrade them to newer Bluetooth Low Energy keyboards.
If you have headphones, make sure that they're patched if you can patch them. So is it on a scale of one to ten is it ten now? Is it maybe a five or something?
Maybe for enterprises from that perspective.
Adrian Sanabria
Would you recommend going around an enterprise scanning for old devices use? Would you go around do a survey and say, hey, yeah, we're going to buy a new keyboard?
Jon Bundy
That's a good question.
Adrian Sanabria
I guess at all. Because some of those keyboards aren't even going to be Bluetooth, right? Like if they're old enough, they're just spitting stuff out in the clear all day long.
Some of the ones that would use the dongles, right?
Jon Bundy
Yeah. And those have their own vulnerability. Sure.
I guess it depends on your risk appetite. If you're concerned about this, then yeah.
Adrian Sanabria
I guess it depends on the business too.
Jon Bundy
Like maybe if you're a high profile law firm or something like that, you know, versus Yeah, not use Bluetooth at all and not allow phones in your meetings and not allow AI glasses. I think there are some things in Bluetooth where you could say the same thing. I mean, your camera, your phone's got the same capability.
It's not specifically a Bluetooth vulnerability, but that could be a vector to get to your phone.
Adrian Sanabria
Right. Well, good stuff, John. This has been excellent.
I agree with you on both the personal and the business there. I think for me, it's maybe a four out of 10. It's enough that I'm going to go around and do a survey just to see just because I'm really curious.
I'm going to see what I can find. And if there is anything hackable, I know at the very least these Sonys are vulnerable.
Jon Bundy
And you know, maybe that's what it is. It's just fun. Are you worried about someone sitting outside your house and doing it?
Maybe you're not too worried, but you should at least be aware. You should know that these things are possible. It's not as secure as you might think.
The whole point of Bluetooth is a little bit of a black box to people. You don't know how it works, why it works, if it works, and what's vulnerable.
Adrian Sanabria
But to people who have made it through all three of these episodes with us, these three Bluetooth episodes, it's less of a black box, hopefully, than it was when you started this journey with us. Thanks, John, so much for joining me. This has been a lot of fun to go through.
Oh, you're welcome.
Jon Bundy
Thanks for having me.
Adrian Sanabria
Big thanks to Bastille for sponsoring this series. You can check out Bastille.net/blog for more information on wireless threats. And don't forget to leave a comment with what you'd like to see us discuss or hear next.
See you next time.
Anthony Jimenez
Thanks for listening. And thank you to our guests, John Bundy and Adrian Sanabria. Don't forget to like, comment and subscribe to Carahcast and be sure to listen to our other discussions.
If you'd like more information on how Bastille can assist your organization, please visit www.carasoft.com or email us at bastille@carahsoft.com. Have a great day.