I Tried Hacking a Bluetooth Speaker - Here's What Happened Next
source link: https://hackernoon.com/i-tried-hacking-a-bluetooth-speaker-heres-what-happened-next
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.
In this article, we’ll attempt to hack a Bluetooth speaker using my knowledge of CyberSecurity.
Watch the Video
00:00
have you ever been in a social gathering
00:02
maybe a party
00:03
and you're hanging out with your friends
00:04
maybe some colleagues and there's a
00:06
bluetooth speaker in the background
00:08
everything's good except there's one
00:10
issue the music that is being played
00:13
is horrible either doesn't fit the vibe
00:15
or something like that
00:16
so in that moment when you're with your
00:18
friends you wish that you were the one
00:20
who had control of the bluetooth speaker
00:21
the individual in the background or with
00:23
the phone and boom you click play and
00:25
whatever music your heart desires
00:27
it is played
00:31
no matter if the person who has
00:32
connection to speaker is playing
00:34
the music or not you are the one who is
00:36
controlling the speaker so in today's
00:37
video what i want to try doing
00:39
is using my cyber security expert
00:41
hacking skills
00:44
dang it stack overflow we go
00:48
okay maybe not expert hacking skills but
00:50
i'm going to try
00:51
developing a program which allows me to
00:54
hijack the bluetooth speaker session to
00:57
accomplish this task i have
00:59
two sets of equipment the first thing is
01:02
a bluetooth speaker in this case it is a
01:04
01:05
flip 4 running bluetooth version 4.2
01:08
the next thing is a raspberry pi 3
01:11
b plus and in this case this has a
01:13
little bluetooth
01:15
adapter which allows me to communicate
01:17
with other bluetooth devices
01:19
with these two devices i'm going to try
01:21
developing a
01:22
method or program which allows me to
01:24
hack in to
01:26
the bluetooth speaker so then all i
01:28
would have to do
01:29
is just you know carry around this big
01:31
old bulky raspberry pi
01:32
and i would be able to hack into
01:35
anyone's bluetooth speaker especially my
01:37
friends
01:38
so with that behind us let's go ahead
01:40
and get started
01:41
[Music]
01:45
my first step was to go ahead and unbox
01:47
the raspberry pi 3b plus that i had
01:50
ordered specifically
01:51
for this project after unboxing that i
01:53
would perform the basic setup
01:56
cool looks like this works now it's time
01:58
to go ahead and set the rest of
02:00
this thing up by working inside here and
02:03
02:03
yeah let's go and do it so after turning
02:05
on the pi i went ahead and followed an
02:07
online
02:08
tutorial which allowed me to get up and
02:09
running with the pi with
02:11
remote ssh connection into the raspberry
02:14
02:14
via my windows computer so after that it
02:17
was time to go into
02:18
the research phase so i found this
02:21
article online which i'm going to be
02:23
using a couple of the tools and
02:24
technologies that they recommended that
02:27
i go ahead and do
02:28
so full credit to the author of this uh
02:31
article here so if i scroll down here
02:34
you're going to see
02:35
a list of tools which will allow us to
02:38
work with
02:39
with bluetooth devices i'm going to use
02:41
the same tools
02:42
as recommended within this article and
02:45
i'm going to go ahead and do that
02:46
by first setting up the raspberry pi and
02:49
then from there i'm going to go ahead
02:50
and create a
02:51
python script which is going to use some
02:54
of these open source
02:56
bluetooth hacking tools to get into the
02:59
bluetooth speaker
03:00
to do this what i'm going to go ahead
03:01
and do is write a sketch that
03:04
kind of walks through my thinking
03:06
process about how i think
03:07
about solving this problem and then from
03:09
there we're going to go ahead and try to
03:11
implement this
03:12
through a python script
03:14
[Music]
03:17
my original thought process was to mock
03:19
the scenario mentioned in the article
03:21
so using the raspberry pi i was going to
03:22
insert myself in between the victim and
03:24
bluetooth speaker
03:25
while they were conducting the pairing
03:27
process i was going to use
03:28
the knob attack to lower the entropy bit
03:31
03:32
to one from there i was going to write a
03:34
program to brief force the encryption
03:35
key so i could insert myself in between
03:37
the session in clear text
03:39
as mentioned in the article i was going
03:40
to use an open source tool called bt
03:42
proxy to set up a man in the middle
03:44
relay between the victim and the
03:45
bluetooth speaker
03:46
at this point i could send my music
03:48
files to the bluetooth speaker while the
03:49
victim would have no control of the
03:51
bluetooth speaker alright so i
03:53
am ready to start creating my python
03:55
script
03:56
but before i do that i'm going to go
03:57
ahead and install internal blue and bt
04:00
proxy off of github links in the
04:02
description below
04:03
and yeah so let's go ahead and get
04:05
started with the initial configuration
04:08
[Music]
04:12
process
04:15
while downloading the open source tools
04:17
i had encountered one critical problem
04:19
the bt proxy open source tool was
04:21
outdated the last known update was in
04:23
2015 and the github page specifically
04:26
said that it was discontinued i had
04:28
tried downloading the dependencies of
04:30
this open source tools at different
04:31
versions to make it work but it was all
04:33
not functioning correct i couldn't find
04:35
the correct versions
04:36
so i thought that well at this point i
04:38
can't really do this type of attack
04:40
not only was the open source tool
04:42
outdated but i also realized that
04:44
in between the pairing process between
04:46
the bluetooth speaker
04:47
and the victim i would have to be at the
04:49
right location at the right time
04:51
and oftentimes for people who already
04:53
have bluetooth speakers their phones are
04:55
just automatically connected to the
04:56
bluetooth speaker at this point i
04:57
thought the project
04:58
was over but throughout my process of
05:01
research i did figure out how to connect
05:03
the raspberry pi
05:04
to the bluetooth speaker as well as send
05:07
audio or a music file to the bluetooth
05:09
speaker
05:10
okay so it's the next morning throughout
05:12
my research i did
05:13
find one method that i could use
05:16
to connect to the bluetooth speaker and
05:18
inject my own audio stream
05:21
now it's sort of similar to just
05:23
connecting another phone to a bluetooth
05:26
speaker but it's a little bit different
05:28
sort of so let me just go ahead and show
05:30
you because it force connects
05:31
into my controlled environment what i
05:33
found out is that if i connect the
05:35
raspberry pi to the jbl bluetooth
05:38
speaker i could go ahead and override
05:40
the music session that would be
05:41
currently being streamed from the victim
05:43
phone in this case i could override the
05:46
music and play from
05:47
my raspberry pi as i inject the audio
05:50
stream
05:50
so let me go ahead and show you my
05:52
process connecting
05:53
to the bluetooth speaker using the
05:55
library blue z
05:57
and then injecting an audio stream using
05:59
the pulse audio
06:04
server
06:06
all right so here in front of me i have
06:08
my jbl
06:10
flip 4 speaker it is turned on here as
06:13
you can see from the power button
06:15
and i'm going to go ahead and get into
06:17
my ssh
06:18
session with my raspberry pi 3 plus part
06:21
06:22
the blue z packages
06:25
there is a bluetooth command line
06:27
utility called bluetooth
06:28
ctl so if you run bluetooth
06:32
ctl it's going to go ahead and launch an
06:35
interactive
06:36
session here and there are multiple
06:38
commands that we
06:39
can issue so in this case what i'm going
06:42
to go ahead and do
06:43
is try doing scan on this is going to go
06:45
ahead and turn on our scanner
06:48
now i did capture the bluetooth address
06:52
06:52
the jbl flip 4 but i had to put that in
06:56
discoverable mode so using the
06:59
discoverable mode method here
07:01
i got the bluetooth address here and
07:04
07:05
once i find the bluetooth address for
07:07
instance if we go ahead and just
07:09
click the discoverable here
07:13
that load so once i find
07:16
the bluetooth address i don't have to
07:18
worry about it again i can just go ahead
07:20
and put this
07:21
down here so with that being said i know
07:24
the bluetooth address
07:25
and so i'm going to go ahead and copy
07:27
the bluetooth address here
07:29
do go ahead and select right click and
07:32
07:32
i'm gonna go and turn the scan off
07:37
okay all right once that has
07:40
stopped here i can go ahead and try
07:43
connecting to
07:44
the bluetooth speaker so i'm going to go
07:45
ahead and do that
07:47
connect here as you can see
07:51
it has a little doo-doo and it's
07:53
connected
07:54
i have my jbl flip 4
07:57
connected to my phone as well so right
07:59
now i have both the raspberry pi
08:01
and the jbl flip 4 connected to my
08:04
bluetooth phone
08:06
or on through my bluetooth online so at
08:08
this point you can see it has a little
08:10
jbl flip 4 and we can do whatever we
08:12
08:13
in this case we are done connecting to
08:15
the bluetooth speaker so we're going to
08:16
go ahead and do exit
08:17
this point we need to get the sound card
08:19
information so that we can go ahead and
08:21
inject our own stream of music
08:23
now before moving forward what i found
08:25
out was i needed to
08:27
first go ahead and put music onto my pi
08:30
so i went ahead and do that
08:32
i just used the ftp client
08:36
filezilla to transfer a music file from
08:39
my windows computer to the pi pretty
08:42
08:43
and then i if you do ls here you can see
08:46
i have chill
08:46
2.wav that's the sound file i want to
08:49
08:49
now there's a sound driver called pulse
08:51
audio which allows you to
08:53
inject music streams so to do this what
08:56
i went ahead and did is i did p-a-c-t-l
09:00
and then you can go ahead and do list
09:02
cards
09:04
and at this point you're gonna have a
09:05
couple of sound cards uh
09:07
cards zero and one i didn't have to
09:09
worry about so in card 12
09:12
the next card the third card in the
09:13
listing is with the one that
09:15
you would want if you're connected to
09:17
the speaker so at this point what you're
09:18
going to want to go ahead and do
09:20
is select the name of this driver here
09:23
and go ahead and right click to copy
09:25
we're almost done
09:26
at this point we have our music and we
09:29
also have the sound card name
09:30
now we can go ahead and do pa play
09:34
the dash p flag allows us to play and
09:37
then i'm going to go ahead and play on
09:39
specified device and in this case it's
09:41
going to be
09:42
blue z card but in this in this
09:46
we're actually we're going to change the
09:47
blue z card to blue
09:49
z sync and we are also going to append
09:53
that a to dp underscore sync all we need
09:57
to do is
09:57
go ahead and inject the music in there
10:00
so chill
10:02
underscore two dot love
10:06
and as you can see it is playing the
10:08
chill to
10:09
wave music now if i wanted to go ahead
10:12
and stop this
10:13
i could just do control c to interrupt
10:16
the session and boom
10:17
there we go so it's very manual and also
10:20
you know my phone is still connected to
10:22
the speaker
10:23
but it's it's more of a manual type
10:25
process
10:26
and you have to make sure that you know
10:29
you can connect it to
10:30
a speaker such as the jbl flip 4. i'm
10:33
not exactly sure
10:34
how many other speakers would allow this
10:36
to happen
10:38
so there you go that's the attempt at
10:41
trying to hack bluetooth speakers
10:43
it's definitely the method that i
10:45
created was definitely nothing
10:47
revolutionary um but it was
10:50
sort of successful in the attempt to try
10:52
to connect and try to play my own
10:54
music i hope all is well the articles
10:57
and the tools that i use will be in the
11:00
description
11:01
below so for those of you who maybe want
11:03
to replicate
11:04
something like this i can that can maybe
11:06
be something you can do um
11:07
yeah so i hope all is well and until the
11:10
next time have a good day
English (auto-generated)
AllSecurity hackersRelatedWatched
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK