We all use Bluetooth devices- phones with Bluetooth, Bluetooth keyboard, Bluetooth mouse, and some of us even have Bluetooth external hard drives for our phones. They make our lives easier, we log in and buy a battery subscription from Amazon to keep our mouse and keyboard fed well, and we go to work. Everyone is happy to leave the wires behind and get to work. What could go wrong?
Add a twenty-five dollar radio receiver and transmitter, a little ducky script, some of those batteries from Amazon and you could start seeing some problems. While this isn't technically a Bluetooth hack, it is worth mentioning old wireless keyboards are a problem. Let's face it; there are several old wireless devices connected to office computers simply because they still work and no one has thought about them in years.
How many times have you heard, "does your old one still work? Why are we buying new? You should continue to use the old one." Our accounting departments are good at keeping, outdated, risky equipment connected to corporate networks. (See Vulnerability Note VU#981271for affected devices.) Because of this, we will typically approach our accounting divisions with, "Our keyboard and mouse units were compromised." And the accounting division will usually respond with "Can't we just replace the batteries?"
Now, let's get back to real Bluetooth. If we add a laptop running Kali Linux to our toolset, we can use Hcitool to check for Bluetooth devices that are sending discovery beacons. Once we find a device willing to allow us to connect, we can connect and use Sdptool to enumerate the services running on our new Bluetooth connected device. We can then use those services to pivot around your network and exfiltrate data.
All of those exploits require some knowledge and a little trial and error. The simplicity of my last Bluetooth exploit will leave you shaking your head and asking, "why." For years we've locked down USB ports because they are an easy way to connect and transfer data and for some unknown reason, we've let Bluetooth connected storage devices get a pass. Bluetooth storage devices are much more common than USB devices; in fact, many more of us bring a Bluetooth storage device when we travel than ever thought to carry a USB thumb drive. What is this device? It's your phone. Most newer phones can act as mass storage devices. While Android and iOS devices connect in different ways, they can both be used to exfiltrate data from your company. Even more alarming is that you may never know it happened. Windows and Apple devices don't log Bluetooth connection data as robustly as we would like. Without proper logging, we may be unable to detect and shut-down malicious actors.
What should you do? While Bluetooth keyboards may be a necessity in conference rooms and larger board rooms, we should avoid Bluetooth whenever possible. When you consider all the known problems with Bluetooth and the ease in which a malicious actor can use the wireless protocol to exfiltrate data from your company, we recommend removing Bluetooth from your corporate environment altogether.