Android Bluetooth Hacking

David Bombal · Beginner ·🔐 Cybersecurity ·2y ago

Key Takeaways

The video demonstrates Android Bluetooth hacking using a zero-click vulnerability, CVE-2023-45866, and tools like Raspberry Pi, Python 3, and Blue Ducky, to remotely control an Android phone without pairing, highlighting the importance of security patches and updates.

Full Transcript

In this video, I'm going to show you how to hack an Android phone using a zero click Bluetooth vulnerability. In this example, I've got a Raspberry Pi 5 running KI Linux. I've simply connected the monitor to the laptop so we can see on screen what's happening on the Raspberry Pi. Okay, so on the Raspberry Pi, I'm going to use the command Python 3 blue ducky. py. That's the Python script that allows us to attack the phone. We asked to enter the MAC address. I'm going to press enter so that the MAC address can be scanned. Previous MAC addresses that were discovered are stored in a file. So we can either go and rediscover devices or use a device that was previously discovered. In this example, I'm going to attack device full aus 7T. So I'm going to say yes. And the device that I want to attack is number four. Now we asked is this the MAC address that we want to attack? And the answer is yes. Now various scripts could be used. In this example I'm going to select two which is payload example 4. And notice what happens on the phone. Commands are now being sent to that phone. And what you'll notice is that I've been able to rick roll you by sending commands to the phone through Bluetooth from the Raspberry Pi. This is a HID type attack where we are sending keystrokes to the phone through Bluetooth as if we had a keyboard connected to the phone. This attack cannot be stopped on older Android devices. So, if you have an Android 10 device or earlier, you can't stop this type of attack. If you've got an Android 11 device, you can use a security patch to stop this or you need a later version of Android. So, a modern device using Android 14 as an example will not be susceptible to this attack. However, there are many devices out there running older versions of Android. Not everyone has the latest and greatest phone. So, people with older devices can't stop this attack. I'll list the CVE below this video in more details, but I actually interviewed Occupy the Web about this attack, and he explained more information about it, how to install the software to set this up and how to get it running. It's a very simple attack. In this example, I'm using an ASUS Bluetooth adapter, which I'll link below, for this attack. Other people have used the built-in Bluetooth adapter in a Raspberry Pi 4. Didn't work for me for a Raspberry Pi 5, but there are various adapters available out there that you could test this attack against. Now, as always, do not attack devices that you don't own or have permission to attack. In this example, this is my Android phone. This is my Raspberry Pi 5. I have given myself permission to attack my own device to show you the issues with older versions of Android. Unfortunately, in life today, you need to update your devices. When security vulnerabilities are discovered like this, you need to upgrade your version of Android. Older Android devices cannot be updated unfortunately, which means that if you are concerned about this problem, you need to buy a new device or turn off Bluetooth on your device whenever possible. Okay, so without further ado, let's talk to Occupy the Web and he can explain more details about this attack. I really want to thank Brilliant for sponsoring this video. Do you know how technology works? As an example, how strong passwords work? Should you be using a alpha numeric password or just passwords with digits in them or passwords with alpha numeric plus special characters? But do you actually know why? And do you know what a difference it makes when you change your password length? As an example, Brilliant has this interactive course that shows you how strong passwords work. Also has other fantastic courses here like teaching you how wireless communication works or how a GPS works or how recommendation engines work. Now, you can get access to all the courses on Brilliant's website for free for 30 days using my link below, brilliant.org/davidbombble. You'll also get 20% off an annual premium subscription. I really believe that education changes lives, and I want to thank Brilliant for putting together such fantastic courses, but also for supporting my channel. Today we're going to work on a uh a a recent vulnerability in the Bluetooth stack that uh allows an outsider to be able to uh inject commands into Bluetooth. All right, so inject commands through Bluetooth into the system. And this particular vulnerability, uh let's see, there's actually like four vulnerabilities that came out in December, so they're pretty recent. They're only a few months old. It's a CVE 2023 4586. And that's the uh that's the the basic CVE. It actually applies to any Bluetooth device. The scripts to be able to inject commands are slightly different. So, we're going to be working with the Android one, which I think might be the most most interesting one because despite what people might think, Android makes up about 80% of all of the mobile devices on the planet. You know, I often hear people say, "Oh, you know, it's like half Apple and half Android." Like, if you live in the US, Yeah. Yeah. If you're in the US, maybe maybe in the US and maybe in other other uh industrialized nations, but in the world, most phones are Android. So, let's focus on most devices, which are Android devices. And you know, there's lots of other flaws that we can address in the iPhone, but this one we're going to talk about in Android. And uh this one allows us to go in. It's a zeroclick attack. Zero click attack against Bluetooth. Now, Bluetooth has a range of so usually about 100 meters. Okay? So you can connect to devices within 100 meters but it is possible with proper antennas and a repeater that you can people have gotten Bluetooth to extend as much as a kilometer right so that's you know in in English terms what's that 610 of a mile right so it's a it's a good it's a good distance if you wanted to attack these systems but generally it's going to be 100 meters which means your office your home your school okay maybe your neighborhood your neighbor That's about as far as you can go. It's interesting that after well I maybe I should leave this later but one of the things that many years ago I guess it's maybe 10 12 years ago I had a company in Las Vegas come to me and they said what we'd like you to do is we'd like you to send an advertisement to everybody's phone who passes this corner through their Bluetooth device through their phones. And if have if you ever been to Las Vegas, and I know you have, right? There's thousands of people walking down the street, right? And as you walk down the street, there's there's people trying to bring you into a hotel or a bar or strip club or whatever it happens to be, right? And so this company approached me and said, "What we want you to do is to send an ad to everybody's phone so to bring them into our place." And I I told him no. But I after I was working with this particular exploit, I went this would have been perfect for that because what we can do is we can send that phone to their website. We can set inject commands into their phone to open up the website of whoever you want to sell the product to. So let's let's kind of keep that in mind. And uh you know it's it can be done it can be used for advertisement. It can be done maliciously. lots of things that it can be done done for. Could you download malware? So, by sending them to a website, get them get something downloaded to the phone. Well, what you can do is you can you can send them to a website, right? And then, of course, once they're in a website, okay, then you can go ahead and have them click on a link, what have you. But you can you can only send the URL to their phone. you can't necessarily inject, but you can inject commands into the phone. You know, like if you really wanted to be malicious, you could inject, you know, an RM-rf, right, into the phone and and and wipe everything out on the entire phone, right? This would be this would be very malicious, right? So, all of a sudden, people open up their phone and it's a brick. But what we're going to do today is we're going to just send send them to a website, you know, that everybody wants to go to. And that's hackers arise. Well done. So So we're not doing anything malicious. We're actually doing something really beneficial for them. We're taking them we're taking them to the site that everybody should be at, right? I love it. Uh so let's let's get started with this then. And uh and it's it's going to take a few steps, right? Uh but one of the things that you got to keep in mind, all right, is that Bluetooth has been around for I guess now 25 years. I think it came out in 1999 and it's a it's a a protocol that's designed to basically connect, you know, what's often referred to as a pico net or a a small network. Okay, a very small network. 100 meters is is pretty big. Zico and in the uh specifications say that it has to reach at least 10 m but most people most developers will build in greater range than that just because you know they want it to be able to connect easily. So let's go ahead and let's uh let's do a few downloads. And one of the the key downloads is there's a a library in that's available to us in it's off GitHub. It's called Blue Easy. Okay. So that's the first thing we need to do is get this go sudo apt to do any kind of Bluetooth hacking that you really need this library. Okay, of Bluetooth tools and it's called Blue EZ. Those people who've, you know, taken my classes or read some of my books will see that I've used this in the past. But, you know, people underappreciate how important Bluetooth is and what a important vector it might be into the mobile device, right? I mean, there's a lot of there's a lot of uh attention given to things like Pegasus, you know, um which is, you know, it's is a zeroclick um exploit to iPhones and other phones, okay, but primarily for iPhones. And that's a, you know, it's a very highlevel exploit. These Bluetooth exploits are generally pretty simple and uh and and easy to implement. All right. So, and everybody has Bluetooth on their phones or devices or speakers or TVs, you know, your cars. All right. So, you probably you probably connect your your Bluetooth in your car. So, this Bluetooth is everywhere. So, it's one that I think needs to be given additional attention. So, we're going to go to GitHub. All right. I have all of these tools already installed. So, but I'm just want to give the the viewers the uh the URLs pi blue easy. Okay. So, there it says it's already exists. I've already installed it. Okay. So, once we have this installed, this has a lot of tools that we need to do reconnaissance and and other things on Bluetooth. So if you gone ahead and and download it, you just got to go cd to pi. Let's make sure that so you can see it's right here. Here's the directory that it's created. So we want to go there. All right. Pi blue easy. Let's take a look inside there. And there's a bunch of tools in here. And there's there's really a lot. We're just going to scratch the surface of what you can do with this uh particular tool. But then you need to go ahead and do the Python pseudo Python 3 setup. You can see the setup right here. Yeah. All right. Setup. Uh PI install. All right. And then we'll go ahead and go through the installation script. All right. Good. All right. So then once we have this, there's a a number of tools that are built into here. All right. And one of them, probably one of the most important ones, is HCI or HCI config. Similar to in I'm going to go ahead and clear my screen. We all know that if config, right, in Linux or IP config in Windows, right, gives us shows us all of the interfaces. There's also a a similar tool in bluez that shows us all of the interfaces and enables and disables the interfaces and it's called HCI config. And so what we need to do first is that we need to go ahead and enable the Bluetooth device. I've got an external this is not using my uh the native Bluetooth on I've purchased an external Bluetooth device and this is a virtual machine. So what I'm going to do here is I'm gonna first of all I'm going to take it up. I'm gonna enable it. All right. That's the terminology. Go HCI config. All right. And it's very similar to like in Linux where you go if config eth0 up. Okay. Or IP like up. ETH0 up. Let's go and go uh HCI. I'm assuming that's my the name of my device. Okay. HCI. So, it's either HCI 1, HCI0, HCI 2. Okay. Looks like it's up. What's the device that you're using there? It's a external Bluetooth adapter. Is it a specific Can you give us the brand or the specific one? Uh, I think this one's Panda. All right. But the the key is the the chipset, Cambridge Silicon Radio. I found that these chips these chipsets work best for this type of work. And then if I go LS USB, okay, I can see it right here. It's a Bluetooth dongle in HCI mode. Then what I can do is if I want to go ahead and search, for instance, for all of the Bluetooth devices in my range. Okay, what I can do is as part of this suite of tools, I can go use pseudo. There's a tool called HCI tool and it's scan. So, let's see if we This will allow me to see which Bluetooth devices are within range and and are accessible to me. It's kind of like doing maybe a ping scan or an end mapap scan where you're going out to see what uh what devices are out there and which ones are available to you. This uh we'll go ahead and run this and see which ones are. We probably should probably pick up some of my neighbors machines as well. Let's see. Here they come. Oh, okay. Looks like Oh, we got a Galaxy Note 10 there. We got a speaker system. We got looks like a TV. Looks like my neighbor's TV. Let's try it again and see if we can pick up any more. Notice that these are MAC addresses of those devices. And that's really what we need to be able Remember, MAC addresses are globally unique. Oh, only picked up two this time. The Galaxy Note is not some one of the things that you'll find is that if you run this tool, you know, it'll pick up some sometimes and not at others. So, but all you need to know is the MAC address. Okay. So, even if it doesn't pick it up, if you got the MAC address, you're good. It looks like we have the MAC address of a few devices here. Is there a specific phone that you're looking to attack or specific device? Oh, this this one right here. This is a Galaxy Note 10. It's pretty new. Yeah, I'm just kind of Yeah, taking it out. Yeah, I've got Oh, we have four of them this time. See, so one of the once again we we this is how we find the Bluetooth devices that are out there. We can get a lot more information about the device, okay? By taking the MAC address, okay, and then going ahead and putting it into a tool called SDP. I'm going use pseudo SDP tool. Uh browse. I think a lot of folks don't recognize that there's a lot of differences between Bluetooth devices and we can pick up a lot of that information. So what we've done is we've gone into the device to find out all its capabilities. This is part if you're if you're trying to hack a system, the more you know about it, the better. And one of the things that maybe not that well known but but you and I did talked about a little bit in an earlier uh video is that one of the classes of Bluetooth devices is a human interface device a hit. Yeah. Okay. So human interface device is a Bluetooth keyboard or Bluetooth mouse. So if I can connect to your Bluetooth device. Okay. If I can connect to your Bluetooth device and present myself as a keyboard, then I can inject commands. And that's essentially what this particular tool does. It uh allows you to authenticate against the Bluetooth and then once you've authenticated, inject commands into it. So this kind of kind of basic Bluetooth, you know, reconnaissance that we're done this far, but you can learn a lot about this is an Android network access point right there. Okay. Tells us a lot about what it's what it is. This is a a Android Note 10. So, it's a pretty new. It's not latest and greatest, but it's it's it's pretty new and it's unpatched. So, we got a few more things. That's kind of basic Bluetooth reconnaissance. Okay, this would be the first thing you need to do before you you go any further. I'm going to clear my screen and we're going to install a few more tools. All right, here's a bunch of the dependencies that you need. I'm going to put them on the screen. So often times when we're using a new tool, we have to go ahead and and get all of the libraries that are necessary. That's what these are. These are just libraries that are necessary for the our tool to work. All right, you see it's already the latest already installed. All right, then we have to go and do a couple more things and then we can get started here. First of all, we're going to go have to go ahead and couple more commands before we can actually get our tool to work. This is uh going ahead and installing. In this case, it's going to be the add BD Bluetooth add blue EZ. All right, let's go ahead and hit that. It already exists. It's not an empty directory. It tells us. And then we're going to have to go ahead and compile that. We're on our on our machine. So, we're going to use GCC to compile. I'm just going to copy and paste and compile it. And then we're going to go ahead and copy. Okay. Pseudo CP copy B D A D R to where else but user local bin. Why user local bin? Because that is in the path directory. That means that we can then use it from any place on our system. All right? Because it's going to be in the path. If you don't understand paths, go ahead and I think it's chapter eight in Linux basics for hackers. Take a look at that. And then last step, okay, before we get started is to go ahead and install a tool called Blue Ducky. Blue Ducky is simply an implementation of a a proof of concept that was developed and they just put it into a nice easy to use Python script that we can attack these systems. And there it is right there. Blue Ducky from a group called Pentest Functions. Let's go ahead and hit enter. And we're good. Now, let's go ahead and go CD into blue ducky. Yeah. And take a look inside there. Okay. And there's our blue ducky right there. There's some payloads in here. Payloads are what you can go ahead and inject into this into the system. Now, one of the things that I found in using this is that dependent upon what your Bluetooth adapter's name is. All right, remember it's mine is HCI0 or HCI1. A lot of times it'll mine will come up as HCI1. This particular tool is designed to use HCI 0. So, if you want if you wanted to change it, I'll show you how to do that. The first time I used it, I had to do this. And now that I might have to change this one back. Okay, but let's go ahead and pseudo. Okay, mouse pad. And then we'll go blue ducky. I'm just going ahead and opening it up in a text editor. Blue Ducky py. All right, here's here is the script. If we scroll down a little bit, it's like 700 lines or something like that, the script. So, it's a pretty sophisticated script. Uh, let's see. It's right. Okay, here's the payload. And there it is right there. It defaults to HCI0. So, if you've installed your Bluetooth adapter and it comes up as HCI1, which mine did initially, then you're going to have to change this to HCI1. It's not a big deal, but you can just go ahead and change it to one. Save it. You're going to have to open it up as as root using pseudo. And once you've done that, then it'll then use whatever adapter that you want to use. All right. So, that's done. You changed it, right? I did not change. I left it at mine is this time I think this time on this machine, right? I think the first time I I I I did it on another machine and it went to my adapter was recognized as HCI1. So that's why I put that in there because I know that I'm I'm on one of my machines it came up as HCI1. Uh usually the very first device should come up as HCI0 and second one HCI1. And it might have been I don't remember but it might have been that I had another Bluetooth device in there. All right. And so the second one is going to be HCI1. Let's go ahead and you can see that we don't have permissions here. Okay. Ducky py. Let's go ahead and give ourselves permissions to use it. And let's see. We're go I'm going to go 755. That's kind of my standard. All right. And so now it should we should look good. All right. Yeah. All right. Now let's go sudo. All right. and Python 3 Blue Ducky. I think the name is a play on Bluetooth and uh rubber ducky also. Rubber ducky, right? So, this is kind of like a a rubber ducky, but it's it's remote and it's zero click, right? So, let's go ahead and run it. There it is. Says, what is the target address? Okay, leave blank and we'll scan for you. So, if we don't if we don't know the target address, I do have it because I when I already did a scan, but let's go ahead and just assume we don't have it. All right. And see what if it can find our devices. And then once we find the devices, it can we can just go ahead and select. Okay. Which one device we want to go ahead and hack. Let's go ahead and hit enter. So, what it's doing is it's using the the blue EZ to go ahead and scan for all the Bluetooth devices in the area. And so you can see we have a a Android device right here. It says, "Do you want to use one of these known devices?" Yeah, let's Yeah, I do want to use one of those. Enter the number of the device one. And yes, I want to use the first payload. Yes. But beautiful. All right. Okay. And my phone just opened up to hackers arise.com. All right, here's the Okay, processing string. Hackers rise. It sent that string. Opened up that everybody's favorite website. And if you give me a second, I will take and do a screenshot. Okay, to show you that it opened up that on my phone, on this phone. And give me a second to get it into the system here. And there it is. Nice. And so this is uh this is a screenshot of my phone. Uh as you can see, we're having that's our 8th anniversary. I probably should have said this at start is that this is our this is our eighth anniversary. So we're having a big sale and that's what comes up. That's our drop-down ad. Um for those of you who don't like ads, I apologize, but that's what that's the real life and that's the drop-own menu. If you're on our website and you see this, don't fret. Just simply click anywhere on the screen and the ad goes away. I've had lots of people say, "Oh, I can't read your your tutorials because there's an ad in the way." Well, click away from it and the ad goes away. But in any case, we're we're when we're doing this recording, we're in our 8th anniversary, our 8th birthday celebration, and so we're offering 25%. So that's why that drop- down menu. But you can see how powerful this is is that I can send any command, okay, into the phone. In this case, what we did is we sent them to a website. Uh you can send them to any website you want. You can imagine that, you know, things could get malicious here or they could be, you know, a way of advertising. you know, if there's uh we can imagine I can imagine I don't want to get too deep into the thes here about what pe what people could do with this. But just be creative and think about it that there's lots of things that you can send directly in. Now, this is on unpatched Android phones. The older phones, okay, before Android 11 cannot be patched. All right. So, it applies to unpatched 11, Android 11 and and the future revisions, right? And then the ones before Android cannot be patched. All right. So, there's a lot of phones that are going to be vulnerable to this type of attack. This is a zero click attack. I didn't have to touch anything. I sent I connected to the phone from in this case I'm working from my uh Cali system. It could be put into your your phone and and uh and and make it mobile and then connect to Android devices. In this case, Android devices. There's also script for Linux and for Mac and for Windows. This case it's Android. And send whatever commands you want into that system. We just did it by simply injecting a website into their phone and then their phone opens up to the website. So I think it's a really interesting um development in in the recent well this is in the last couple months. So this came out the original vulnerability came out in December and then uh the proof of concept came out in January and then this blue ducky came out I don't know a couple of months ago or so. So there's a a lot of possibilities that one can do this use this for. But I think it also highlights that Bluetooth is an underappreciated attack vector into the mobile device, right? It has a lot of vulnerabilities and that's why we've uh decided to to offer a class specifically on Bluetooth vulnerabilities and attacks versions. So did you say prior to version 11 it can't be patched but after version 11? So all the latest if I have Android 14 I could still be v vulnerable to this. you could be if it's unpatched, right? So, if you've never allowed for the security updates, right, um then it's going to be unpatched. Those older phones cannot be patched. Yeah. So, so if you're in a in an area where, you know, people are using older phones and often times in Android, people keep phones around a long time and so those systems cannot be patched and you can simply inject commands directly into them. It's a great example of why you should keep your stuff up to date if you can. Exactly. Yeah. And why you don't want to have old devices necessarily. Sorry. Go on. Yeah. I I think it's it points out why security updates are so important because, you know, these things are coming up all the time. There's constantly new vulnerabilities found and the developers are constantly putting out new patches. We've seen in the last couple of months a lot of a lot of vulnerabilities come up from a variety of devices including some firewalls came out, right? People are people are connecting to firewalls, you know, and and disabling uh them. So, it's there's there's all kinds of So, you need to keep these up to date. Of course, for a zero day, there's not a whole lot that you can do. But um as a minimum, as a security engineer and your if your responsibility for the organization is to keep it as safe as possible, one of the things you need to do is make sure that things are patched, right? But patching often times creates its own problem. So this is why a lot of firms have their own patching area team that does it because sometimes patches can break systems. So before you go ahead and roll out a patch on all of your systems, test it first, right? For the individual, that's probably not going to be a realistic. But often I find with individuals, sometimes people will put off patching, put off patching because they don't want to go through the the downloads and wait for it. So there's a I haven't tested, but I'll bet you there's millions of phones that this is is going to work against that are unpatched. So this is this was for Android, but you said there's Bluetooth attacks for Linux and Windows and other operating systems, right? There is there is a separate uh proof of concepts out there against uh Linux, MacOSS and Windows. So the really the vulnerability is in Bluetooth, but there's slightly slightly different scripts to be able to exploit Bluetooth on those devices. Yeah, I think for a lot of people occupy the web neighbors are making a lot of noise with their speakers, right? I think a lot of people I'm not suggesting anyone do that but it's if it's possible for someone to like hack their speakers and destroy them then the music stops right well you could I mean I I haven't tried this but I think that you could basically go you can send any command into the system right and assuming it's a a Linux system you know you could send something in you know to shut down for instance or you know rm-rf those of you who are Linux afficionados know what that'll do it'll Y basically wipe out the entire operating system. So those are all possibilities, but those this particular script blue ducky only works against Android, but there are other point proof of concepts out there for Linux, Mac, and Windows, which you could use to send inject commands. So there's a lot of possibilities here, right? And there's so many Bluetooth connected devices. I mean, think about it in in your home. How many devices are using Bluetooth? One of the things that talking about the, you know, knocking out the speakers, one of the things that we've done is to be able to use a SDR, okay, a software defined radio to jam a Bluetooth speaker. So remember the not always, but often times these speakers are Bluetooth speakers, right? Yeah. And they're taking a they're taking a 2.45 four or five gigahertz message the same as you know the Wi-Fi same frequency and actually the same frequency as Bluetooth as well and you can send out a jam signal and break up that signal it doesn't stop it entirely what it does is it garbles them you know so that the person who's trying to blast their music in your next door is is not going to get something that's pleasant they're going to get something that's very disconcerting I think we should get you back for that one okay we'll plan on do doing that And so we can put on some really pleasant music and then basically send in a lot of noise, okay, between the Bluetooth device that's sending the music to the speaker. So we can put in a bunch of garbage in between there and what you end up with is a me is a music that's very unpleasant to listen to. Hackrf will work at 2.5 GHz and it can send a signal. So yes, it it works with that. it'll work with. In my case here, I was using the Lime Mini to do it, but I haven't tried it with the Hack RF. I'll try it with the Hack RF and maybe we can do that in the future. And you'll see that the music just becomes a bunch of garbled mess. And so that the person who's, you know, is being obnoxious to all their neighbors by blasting their music is going to get a very unpleasant sounds coming out of their speakers. Because what you do is that you're just sending in a bunch of random inputs into their device, okay? Into the stream into the stream between their devices. And so they get some of the music but not all of it. And it becomes a bunch of very unpleasant sounds. for everyone watching, let us know if you want to see that. I think it'll be fun. Uh, obviously don't recommend that you do that, but it's just show you the vulnerabilities, right, in in this technology. Will will YouTube allow us to do that? Would that be something that will break? Yeah, we will take some like classical music or something that's non-copyright. Saki, by the way, we can't end the video without showing you books. I've had this book on display for the entire video. So, hopefully someone noticed that. But you're also the author of Linux Basics for Hackers. So for everyone watching, we have done we're still hoping to complete it, but we've done quite a few videos on this book. So I've linked that below and also network basics for hackers, which I love. Um, occupy the web got to get you back for more videos on perhaps more Linux, more networking basics and also becoming a master hacker. And let's do some SDR as well. you know, some of some of these SDR I think this is a really underappreciated area is being able to hack radio signals, which you know, when people hear hacking radio signals, they think of their, you know, the music player in their car or in their home, but there's so many of the devices in our world use radio for communication. We got a lot to we've got a lot to cover, man. So, thanks again for sharing OTW. Really appreciate you coming on the channel and, you know, freely sharing your knowledge. It's always been in the past, I think, sometimes where people have hoarded their knowledge, but I really appreciate you sharing. Thanks so much. Thanks for having me, David. I hope you enjoyed this video. If you did, please like it and please consider subscribing to my YouTube channel. I'm David Bombell, and I want to wish you all the very best.

Original Description

Big thank you to Brilliant for sponsoring this video! Try Brilliant for free (for 30 days) and to get a 20% discount, visit: https://Brilliant.org/DavidBombal CVE-2023-45866 allows attackers to remotely control an Android phone (and other devices) without pairing. Details: Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue. Source: Mitre See CVE details here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45866 https://nvd.nist.gov/vuln/detail/CVE-2023-45866 How to stop / mitigate this attack: 1) Upgrade your phone / install security patches on Android for versions 11 and later. Unfortunately earlier versions cannot be patched (Android 10 and earlier) 2) Note: For the script to discover the MAC address of the phone, the phone needs to be in pairing mode. 3) Turn off Bluetooth if not being used // Script and instructions here // GitHub: https://github.com/pentestfunctions/BlueDucky // Occupy The Web Books // Linux Basics for Hackers: US: https://amzn.to/3wqukgC UK: https://amzn.to/43PHFev Getting Started Becoming a Master Hacker US: https://amzn.to/4bmGqX2 UK: https://amzn.to/43JG2iA Network Basics for hackers: US: https://amzn.to/3yeYVyb UK: https://amzn.to/4aInbGK // OTW Discount // Use the code BOMBAL to get a 20% discount off anything from OTW's website: https://hackers-arise.net/ // Occupy The Web SOCIAL // X: https://twitter.com/three_cube Website: https://hackers-arise.net/ // GitHub CODE // https://github.com/pybluez/pybluez // Amazon LINKS // Rasberry Pi 5: US: https://amzn.to/3JZKoZD UK: https
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from David Bombal · David Bombal · 0 of 60

← Previous Next →
1 RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
David Bombal
2 HPE Network Protector SDN Application Part 1 - Introduction
HPE Network Protector SDN Application Part 1 - Introduction
David Bombal
3 HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
David Bombal
4 HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
David Bombal
5 HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
David Bombal
6 HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
David Bombal
7 HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
David Bombal
8 HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
David Bombal
9 HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
David Bombal
10 HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
David Bombal
11 GNS3 Talks: GNS3 version 1.5.X Appliance Tips
GNS3 Talks: GNS3 version 1.5.X Appliance Tips
David Bombal
12 CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
David Bombal
13 GNS3 2.0.0 beta 2 install
GNS3 2.0.0 beta 2 install
David Bombal
14 CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
David Bombal
15 CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
David Bombal
16 GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
David Bombal
17 CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
David Bombal
18 CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
David Bombal
19 GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
David Bombal
20 CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
David Bombal
21 GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
David Bombal
22 GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
David Bombal
23 CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
24 CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
25 CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
26 GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
David Bombal
27 GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
David Bombal
28 GNS3 switching setup and options: Cisco and other switching options in GNS3
GNS3 switching setup and options: Cisco and other switching options in GNS3
David Bombal
29 GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
David Bombal
30 GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
David Bombal
31 GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
David Bombal
32 GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
David Bombal
33 GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
David Bombal
34 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
David Bombal
35 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
David Bombal
36 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
David Bombal
37 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
David Bombal
38 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
David Bombal
39 GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
David Bombal
40 GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
David Bombal
41 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
David Bombal
42 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
David Bombal
43 GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
David Bombal
44 GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
David Bombal
45 GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
David Bombal
46 GNS3 Talks: GNS3 2.0 RC1 is now available
GNS3 Talks: GNS3 2.0 RC1 is now available
David Bombal
47 GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
David Bombal
48 GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
David Bombal
49 CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
50 CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
51 GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
David Bombal
52 CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
53 GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2:  leverage servers and the cloud
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2: leverage servers and the cloud
David Bombal
54 CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
55 CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
56 CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
57 GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
David Bombal
58 CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
59 GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
David Bombal
60 GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
David Bombal

The video teaches how to use a zero-click Bluetooth vulnerability to hack an Android phone, highlighting the importance of security patches and updates, and demonstrating the use of tools like Raspberry Pi and Blue Ducky.

Key Takeaways
  1. Connect the Raspberry Pi to a monitor
  2. Run the Python script (Python 3 blue ducky.py)
  3. Enter the MAC address of the device to attack
  4. Select the payload (e.g. payload example 4)
  5. Use HCI config to enable and disable interfaces
  6. Use HCI tool to scan for Bluetooth devices in range
  7. Identify devices by MAC address
  8. Use SDP to get more information about a device
💡 The video highlights the importance of security patches and updates, as older Android devices are vulnerable to zero-click attacks, and demonstrates the use of tools like Raspberry Pi and Blue Ducky to exploit these vulnerabilities.

Related Reads

📰
SQL Injection Is Not Dead: Why an Old Vulnerability Still Breaks Modern Applications
SQL injection remains a significant threat to modern applications despite being an old vulnerability, and understanding its impact is crucial for cybersecurity
Medium · Cybersecurity
📰
TryHackMe: Support Walkthrough
Learn to exploit vulnerabilities in a TryHackMe support system through a step-by-step walkthrough, improving your cybersecurity skills
Medium · Cybersecurity
📰
Phase One: Getting Situational Awareness Right
Learn how to begin Active Directory penetration tests with situational awareness and environmental context to improve cybersecurity
Medium · Cybersecurity
📰
How to Detect Unauthorized Devices on Your Network with Python (A Practical Scapy Tutorial)
Learn to detect unauthorized devices on your network using Python and Scapy, enhancing your network security skills
Medium · Cybersecurity
Up next
Stop Hackers Getting Into Your Website By Updating Old Plugins
Josiah Roche — Google Ads + SEO Training
Watch →