Uncover Bluetooth Vulnerabilities with BlueToolkit

Loading

BlueToolkit is an extensible Bluetooth Classic vulnerability automated testing framework. It’s designed to uncover both new and old vulnerabilities in Bluetooth-enabled devices. Moreover, since it runs on Linux based devices, it is possible to install it on rooted Android smartphone and make it a portable and automated Bluetooth vulnerability scanner. This makes it a capable tool for vulnerability research, penetration testing, and Bluetooth hacking.

How Does BlueToolkit Work?

BlueToolkit operates by executing templated exploits one by one against the targeted device. Based on documentation it can test up to 43 Bluetooth exploits and even allows to add new one. To test some of them, it is necessary to have hardware that is listed below. However, after running and listing available exploits while executing the tool, I was presented with information that its able to test 11 vulnerabilities without additional hardware, out of 39, see Figures below.

List of tested Bluetooth exploits without necessity of additional hardware
Figure 1. List of tested Bluetooth exploits without necessity of additional hardware
List of exploits to test
Figure 2. List of exploits to test

To test some of the vulnerabilities additional hardware is required, such as

  • ESP-WROVER-KIT-VE for Braktooth,
  • Nexus 5 for Internal blue-based vulnerabilities,
  • CYW920819M2EVB-01 for BIAS, BLUR and BLUFFS attacks.

BlueToolkit runs only on Linux, installation guide you can follow on the GitHub. This means that you can also run it while on the go on Android smartphone. The Android needs to be rooted, with kernel drives support for a Bluetooth chip or an external adapter. So, if you have already setup your NetHunter, then you should be good to go. I was also able to run it on Kali Linux in a Virtual Machine using an external Bluetooth adapter, particularly Zexmte. Specific commands and their usage are very well explained in a Workflow section. Results of my scan while I was inspecting a Bluetooth speaker are visible below.

Scan report
Figure 3. Scan report

A list of tested vulnerabilities and attacks based on the documentation is visible below.

VulnerabilityCategoryTypeVerification typeHardware req.Tested
Always pairableChainingChainingManual
Only vehicle can initiate a connectionChainingChainingManual
Fast rebootChainingChainingManual
SC not supportedChainingInfoAutomated
possible check for BLURChainingInfoAutomated
My name is keyboardCriticalRCESemi-automated
CVE-2017-0785CriticalMemory leakAutomated
CVE-2018-19860CriticalMemory executionAutomated
V13 Invalid Max Slot TypeDoSDoSAutomated
V3 Duplicated IOCAPDoSDoSAutomated
NiNo checkMitMMitMSemi-automated
Legacy pairing usedMitMMitMAutomated
KNOBMitMMiTMSemi-automated
CVE-2018-5383MitMMiTMAutomated
Method Confusion attackMitMMiTMAutomated
SSP supported <= 4.0 weak crypto or SSP at allMitMInfo/MitMAutomated
CVE-2020-24490CriticalDoSAutomated
CVE-2017-1000250CriticalInfo leakAutomated
CVE-2020-12351CriticalRCE/DoSAutomated
CVE-2017-1000251CriticalRCE/DoSAutomated
V1 Feature Pages ExecutionCriticalRCE/DoSAutomated
Unknown duplicated encapsulated payloadDoSDoSAutomated
V2 Truncated SCO Link RequestDoSDoSAutomated
V4 Feature Resp. FloodingDoSDoSAutomated
V5 LMP Auto Rate OverflowDoSDoSAutomated
V6 LMP 2-DH1 OverflowDoSDoSAutomated
V7 LMP DM1 OverflowDoSDoSAutomated
V8 Truncated LMP AcceptedDoSDoSAutomated
V9 Invalid Setup CompleteDoSDoSAutomated
V10 Host Conn. FloodingDoSDoSAutomated
V11 Same Host ConnectionDoSDoSAutomated
V12 AU Rand FloodingDoSDoSAutomated
V14 Max Slot Length OverflowDoSDoSAutomated
V15 Invalid Timing AccuracyDoSDoSAutomated
V16 Paging Scan DeadlockDoSDoSAutomated
Unknown wrong encapsulated payloadDoSDoSAutomated
Unknown sdp unknown element typeDoSDoSAutomated
Unknown sdp oversized element sizeDoSDoSAutomated
Unknown feature req ping pongDoSDoSAutomated
Unknown lmp invalid transportDoSDoSAutomated
CVE-2020-12352CriticalInfo leakAutomated

BlueToolkit has already discovered 64 new vulnerabilities across 22 products, which means that it might help other researchers to identify security issues in Bluetooth. Details about these vulnerabilities as well as affected devices will be published in August 2024 most likely on their GitHub page.

In conclusion, BlueToolkit is a powerful tool for anyone interested in Bluetooth security. Based on the results of its usage, it seem to be a valuable asset for any wireless security researcher or penetration tester.