| name | offensive-bluetooth-classic |
| description | Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories. |
Bluetooth Classic (BR/EDR) Attacks
Older than BLE, less commonly attacked today, but still present in cars, industrial sensors, audio gear, and legacy enterprise hardware. Many of the well-known historic attacks (BlueSnarf, BlueBug) are mitigated; KNOB and the BlueBorne family remain relevant against unpatched devices.
Quick Workflow
- Discover devices with
hcitool / bluetoothctl / redfang
- Enumerate exposed services via SDP
- Test each service profile for unauth access
- Check pairing crypto (KNOB applicability)
- Proximity-physical attacks for legacy / unpatched
Discovery
sudo hciconfig hci0 up
sudo hcitool inq
sudo hcitool scan --length=12
bluetoothctl
> scan on
> devices
sudo redfang -r 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF
Service Discovery (SDP)
sdptool browse AA:BB:CC:DD:EE:FF
sdptool records AA:BB:CC:DD:EE:FF
Common profiles and their attack relevance:
| Profile | UUID | Attack |
|---|
| OBEX Object Push (OPP) | 0x1105 | BlueSnarf/BlueBug on legacy phones (mostly extinct) |
| OBEX File Transfer (FTP) | 0x1106 | Browse / write filesystem on legacy devices |
| Headset (HSP/HFP) | 0x1108 / 0x111E | Eavesdrop active call audio |
| Serial Port Profile (SPP) | 0x1101 | Industrial/IoT debug ports — often unauthenticated |
| HID | 0x1124 | Keyboard/mouse impersonation |
| Audio Sink/Source (A2DP) | 0x110B / 0x110A | Audio injection/eavesdrop |
SPP Abuse
The Serial Port Profile (SPP) tunnels arbitrary data over Bluetooth as a virtual COM port. Industrial / IoT devices use it for debug or telemetry, often without authentication.
sudo rfcomm bind /dev/rfcomm0 AA:BB:CC:DD:EE:FF 1
sudo screen /dev/rfcomm0 9600
KNOB (CVE-2019-9506)
Forces Bluetooth pairing to negotiate a 1-byte encryption key — making the link key trivially brute-forceable.
git clone https://github.com/seemoo-lab/internalblue
internalblue
> log keys
Patched in firmware on most modern devices. Still works against:
- Older Broadcom-based devices (pre-2019 BCM chipsets)
- Embedded automotive Bluetooth stacks
- Cheap consumer audio gear
BlueBorne (CVE-2017-1000251 et al.)
A family of buffer overflows / info leaks in major Bluetooth stacks (Linux BlueZ, Android, Windows, iOS). Mostly patched 2017–2018, but unpatched embedded Linux devices are common.
git clone https://github.com/ArmisSecurity/blueborne
python blueborne_scanner.py AA:BB:CC:DD:EE:FF
HID Spoofing (PoC)
If pairing succeeds via Just Works or weak PIN, you can register as a HID device — keystroke injection on an unattended Bluetooth-paired host.
hcitool dev
hciconfig hci0 class 0x000540
sdptool add HID
Audio Eavesdropping
If a target has Bluetooth headset paired and active, and you can re-pair (PIN brute or KNOB):
- HSP/HFP profiles let you become the peer and receive audio
- Some firmware allows simultaneous peer connections — eavesdrop without disrupting
Engagement Cheatsheet
sudo hcitool inq
sdptool browse <MAC>
sudo rfcomm bind /dev/rfcomm0 <MAC> 1
sudo screen /dev/rfcomm0 9600
python blueborne_scanner.py <MAC>
internalblue → log keys → re-pair target
Detection
- No native Bluetooth Classic IDS in most environments
- Active inquiry visible to nearby Bluetooth-aware monitoring (rare)
- Re-pairing prompts on target devices may surface to users
Reporting
- Identify chipset + firmware version per device (often visible in service records)
- Map CVE applicability (BlueBorne, KNOB, BlueFrag, et al.)
- Document specific profile abuses (SPP exposed without auth, HID spoofing successful, etc.)
Key References
