I Tried Hacking a Bluetooth Speaker - Here's What Happened Next by@grantcollins

I Tried Hacking a Bluetooth Speaker - Here's What Happened Next

image
Grant Collins HackerNoon profile picture

Grant Collins

An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.

In this article, we’ll attempt to hack a Bluetooth speaker using my knowledge of CyberSecurity.

Watch the Video

https://www.youtube.com/watch?v=9XURbq9jjQs&ab_channel=GrantCollins

00:00

have you ever been in a social gathering

00:02

maybe a party

00:03

and you're hanging out with your friends

00:04

maybe some colleagues and there's a

00:06

bluetooth speaker in the background

00:08

everything's good except there's one

00:10

issue the music that is being played

00:13

is horrible either doesn't fit the vibe

00:15

or something like that

00:16

so in that moment when you're with your

00:18

friends you wish that you were the one

00:20

who had control of the bluetooth speaker

00:21

the individual in the background or with

00:23

the phone and boom you click play and

00:25

whatever music your heart desires

00:27

it is played

00:31

no matter if the person who has

00:32

connection to speaker is playing

00:34

the music or not you are the one who is

00:36

controlling the speaker so in today's

00:37

video what i want to try doing

00:39

is using my cyber security expert

00:41

hacking skills

00:44

dang it stack overflow we go

00:48

okay maybe not expert hacking skills but

00:50

i'm going to try

00:51

developing a program which allows me to

00:54

hijack the bluetooth speaker session to

00:57

accomplish this task i have

00:59

two sets of equipment the first thing is

01:02

a bluetooth speaker in this case it is a

01:04

jbl

01:05

flip 4 running bluetooth version 4.2

01:08

the next thing is a raspberry pi 3

01:11

b plus and in this case this has a

01:13

little bluetooth

01:15

adapter which allows me to communicate

01:17

with other bluetooth devices

01:19

with these two devices i'm going to try

01:21

developing a

01:22

method or program which allows me to

01:24

hack in to

01:26

the bluetooth speaker so then all i

01:28

would have to do

01:29

is just you know carry around this big

01:31

old bulky raspberry pi

01:32

and i would be able to hack into

01:35

anyone's bluetooth speaker especially my

01:37

friends

01:38

so with that behind us let's go ahead

01:40

and get started

01:41

[Music]

01:45

my first step was to go ahead and unbox

01:47

the raspberry pi 3b plus that i had

01:50

ordered specifically

01:51

for this project after unboxing that i

01:53

would perform the basic setup

01:56

cool looks like this works now it's time

01:58

to go ahead and set the rest of

02:00

this thing up by working inside here and

02:03

uh

02:03

yeah let's go and do it so after turning

02:05

on the pi i went ahead and followed an

02:07

online

02:08

tutorial which allowed me to get up and

02:09

running with the pi with

02:11

remote ssh connection into the raspberry

02:14

pi

02:14

via my windows computer so after that it

02:17

was time to go into

02:18

the research phase so i found this

02:21

article online which i'm going to be

02:23

using a couple of the tools and

02:24

technologies that they recommended that

02:27

i go ahead and do

02:28

so full credit to the author of this uh

02:31

article here so if i scroll down here

02:34

you're going to see

02:35

a list of tools which will allow us to

02:38

work with

02:39

with bluetooth devices i'm going to use

02:41

the same tools

02:42

as recommended within this article and

02:45

i'm going to go ahead and do that

02:46

by first setting up the raspberry pi and

02:49

then from there i'm going to go ahead

02:50

and create a

02:51

python script which is going to use some

02:54

of these open source

02:56

bluetooth hacking tools to get into the

02:59

bluetooth speaker

03:00

to do this what i'm going to go ahead

03:01

and do is write a sketch that

03:04

kind of walks through my thinking

03:06

process about how i think

03:07

about solving this problem and then from

03:09

there we're going to go ahead and try to

03:11

implement this

03:12

through a python script

03:14

[Music]

03:17

my original thought process was to mock

03:19

the scenario mentioned in the article

03:21

so using the raspberry pi i was going to

03:22

insert myself in between the victim and

03:24

bluetooth speaker

03:25

while they were conducting the pairing

03:27

process i was going to use

03:28

the knob attack to lower the entropy bit

03:31

rate

03:32

to one from there i was going to write a

03:34

program to brief force the encryption

03:35

key so i could insert myself in between

03:37

the session in clear text

03:39

as mentioned in the article i was going

03:40

to use an open source tool called bt

03:42

proxy to set up a man in the middle

03:44

relay between the victim and the

03:45

bluetooth speaker

03:46

at this point i could send my music

03:48

files to the bluetooth speaker while the

03:49

victim would have no control of the

03:51

bluetooth speaker alright so i

03:53

am ready to start creating my python

03:55

script

03:56

but before i do that i'm going to go

03:57

ahead and install internal blue and bt

04:00

proxy off of github links in the

04:02

description below

04:03

and yeah so let's go ahead and get

04:05

started with the initial configuration

04:08

[Music]

04:12

process

04:15

while downloading the open source tools

04:17

i had encountered one critical problem

04:19

the bt proxy open source tool was

04:21

outdated the last known update was in

04:23

2015 and the github page specifically

04:26

said that it was discontinued i had

04:28

tried downloading the dependencies of

04:30

this open source tools at different

04:31

versions to make it work but it was all

04:33

not functioning correct i couldn't find

04:35

the correct versions

04:36

so i thought that well at this point i

04:38

can't really do this type of attack

04:40

not only was the open source tool

04:42

outdated but i also realized that

04:44

in between the pairing process between

04:46

the bluetooth speaker

04:47

and the victim i would have to be at the

04:49

right location at the right time

04:51

and oftentimes for people who already

04:53

have bluetooth speakers their phones are

04:55

just automatically connected to the

04:56

bluetooth speaker at this point i

04:57

thought the project

04:58

was over but throughout my process of

05:01

research i did figure out how to connect

05:03

the raspberry pi

05:04

to the bluetooth speaker as well as send

05:07

audio or a music file to the bluetooth

05:09

speaker

05:10

okay so it's the next morning throughout

05:12

my research i did

05:13

find one method that i could use

05:16

to connect to the bluetooth speaker and

05:18

inject my own audio stream

05:21

now it's sort of similar to just

05:23

connecting another phone to a bluetooth

05:26

speaker but it's a little bit different

05:28

sort of so let me just go ahead and show

05:30

you because it force connects

05:31

into my controlled environment what i

05:33

found out is that if i connect the

05:35

raspberry pi to the jbl bluetooth

05:38

speaker i could go ahead and override

05:40

the music session that would be

05:41

currently being streamed from the victim

05:43

phone in this case i could override the

05:46

music and play from

05:47

my raspberry pi as i inject the audio

05:50

stream

05:50

so let me go ahead and show you my

05:52

process connecting

05:53

to the bluetooth speaker using the

05:55

library blue z

05:57

and then injecting an audio stream using

05:59

the pulse audio

06:04

server

06:06

all right so here in front of me i have

06:08

my jbl

06:10

flip 4 speaker it is turned on here as

06:13

you can see from the power button

06:15

and i'm going to go ahead and get into

06:17

my ssh

06:18

session with my raspberry pi 3 plus part

06:21

of

06:22

the blue z packages

06:25

there is a bluetooth command line

06:27

utility called bluetooth

06:28

ctl so if you run bluetooth

06:32

ctl it's going to go ahead and launch an

06:35

interactive

06:36

session here and there are multiple

06:38

commands that we

06:39

can issue so in this case what i'm going

06:42

to go ahead and do

06:43

is try doing scan on this is going to go

06:45

ahead and turn on our scanner

06:48

now i did capture the bluetooth address

06:52

of

06:52

the jbl flip 4 but i had to put that in

06:56

discoverable mode so using the

06:59

discoverable mode method here

07:01

i got the bluetooth address here and

07:04

then

07:05

once i find the bluetooth address for

07:07

instance if we go ahead and just

07:09

click the discoverable here

07:13

that load so once i find

07:16

the bluetooth address i don't have to

07:18

worry about it again i can just go ahead

07:20

and put this

07:21

down here so with that being said i know

07:24

the bluetooth address

07:25

and so i'm going to go ahead and copy

07:27

the bluetooth address here

07:29

do go ahead and select right click and

07:32

then

07:32

i'm gonna go and turn the scan off

07:37

okay all right once that has

07:40

stopped here i can go ahead and try

07:43

connecting to

07:44

the bluetooth speaker so i'm going to go

07:45

ahead and do that

07:47

connect here as you can see

07:51

it has a little doo-doo and it's

07:53

connected

07:54

i have my jbl flip 4

07:57

connected to my phone as well so right

07:59

now i have both the raspberry pi

08:01

and the jbl flip 4 connected to my

08:04

bluetooth phone

08:06

or on through my bluetooth online so at

08:08

this point you can see it has a little

08:10

jbl flip 4 and we can do whatever we

08:12

want

08:13

in this case we are done connecting to

08:15

the bluetooth speaker so we're going to

08:16

go ahead and do exit

08:17

this point we need to get the sound card

08:19

information so that we can go ahead and

08:21

inject our own stream of music

08:23

now before moving forward what i found

08:25

out was i needed to

08:27

first go ahead and put music onto my pi

08:30

so i went ahead and do that

08:32

i just used the ftp client

08:36

filezilla to transfer a music file from

08:39

my windows computer to the pi pretty

08:42

easy

08:43

and then i if you do ls here you can see

08:46

i have chill

08:46

2.wav that's the sound file i want to

08:49

play

08:49

now there's a sound driver called pulse

08:51

audio which allows you to

08:53

inject music streams so to do this what

08:56

i went ahead and did is i did p-a-c-t-l

09:00

and then you can go ahead and do list

09:02

cards

09:04

and at this point you're gonna have a

09:05

couple of sound cards uh

09:07

cards zero and one i didn't have to

09:09

worry about so in card 12

09:12

the next card the third card in the

09:13

listing is with the one that

09:15

you would want if you're connected to

09:17

the speaker so at this point what you're

09:18

going to want to go ahead and do

09:20

is select the name of this driver here

09:23

and go ahead and right click to copy

09:25

we're almost done

09:26

at this point we have our music and we

09:29

also have the sound card name

09:30

now we can go ahead and do pa play

09:34

the dash p flag allows us to play and

09:37

then i'm going to go ahead and play on

09:39

specified device and in this case it's

09:41

going to be

09:42

blue z card but in this in this

09:46

we're actually we're going to change the

09:47

blue z card to blue

09:49

z sync and we are also going to append

09:53

that a to dp underscore sync all we need

09:57

to do is

09:57

go ahead and inject the music in there

10:00

so chill

10:02

underscore two dot love

10:06

and as you can see it is playing the

10:08

chill to

10:09

wave music now if i wanted to go ahead

10:12

and stop this

10:13

i could just do control c to interrupt

10:16

the session and boom

10:17

there we go so it's very manual and also

10:20

you know my phone is still connected to

10:22

the speaker

10:23

but it's it's more of a manual type

10:25

process

10:26

and you have to make sure that you know

10:29

you can connect it to

10:30

a speaker such as the jbl flip 4. i'm

10:33

not exactly sure

10:34

how many other speakers would allow this

10:36

to happen

10:38

so there you go that's the attempt at

10:41

trying to hack bluetooth speakers

10:43

it's definitely the method that i

10:45

created was definitely nothing

10:47

revolutionary um but it was

10:50

sort of successful in the attempt to try

10:52

to connect and try to play my own

10:54

music i hope all is well the articles

10:57

and the tools that i use will be in the

11:00

description

11:01

below so for those of you who maybe want

11:03

to replicate

11:04

something like this i can that can maybe

11:06

be something you can do um

11:07

yeah so i hope all is well and until the

11:10

next time have a good day

English (auto-generated)

AllSecurity hackersRelatedWatched


Grant Collins HackerNoon profile picture
by Grant Collins @grantcollins.An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.
Read my stories

Tags

Related Stories