Wireless Security - Bluejack a Victim



As a start, let’s define what Bluejacking means. It is a process of sending the so-called "e-business" card to other device via Bluetooth. The types of e-business cards as we know them are the ones with contact information (name, e-mail, phone number) that you send to other users. Bluejacking works in the same way, but it does not send contact information; in place of that, it sends some malicious content. An example of Bluejacking is shown in the following image.

This definition of Bluejacking is the one you can see in most of the internet resources, and this is considered a pie on top of the cake. The basic fundamentals of Bluetooth hacking are that it will give you a plethora of choices. First is to first pair with the other device. As soon as this step is performed, you may discover the internet for tools that makes some specific malicious functions. Those might be −

  • Mentioned above like sending e-business cards with malicious attachments.

  • Pulling out confidential data out of the victim's device.

  • Taking over the victim's device and make calls, send messages, etc., of course without the knowledge of the user.

We will now explain you how to get to the point, when you are paired with the victim's device. Whatever you want to do next, only depends on the tools and approaches you will find on the internet, but it could be almost everything.

First step is to enable the Bluetooth service locally on the PC.

Bluetooth Service

Next, we need to enable the Bluetooth interface and see its configuration (the same way as physical Ethernet interfaces and wireless interfaces, the Bluetooth one also has MAC address called as the BD address).

Wireless Interfaces

When we know that the interface is UP and running, we need to scan a Bluetooth network for the devices visible in the close environment (this is the equivalent of airodump-ng from the 802.11 wireless world). This is done using tool called btscanner.

Wireless World

What you can read from the above screenshot is that −

  • The MAC address of our local Bluetooth device is A0:02:DC:11:4F:85.

  • The MAC address of the target Bluetooth device is 10:AE:60:58:F1:37.

  • The name of the target Bluetooth device is "Tyler".

The main idea here is that Tyler's device is authenticated and paired with another Bluetooth device. For the attacker to impersonate itself as a "Tyler" and pair directly with other node, we need to spoof our MAC address and set our Bluetooth name to "Tyler".

Just to let you know, you also have a BTScanner version for Windows OS. Below is the sample screenshot from the windows version of the tool.

Bluetooth Scanner

To impersonate Bluetooth information, there is a tool called spooftooth, that we need to use here (equivalent of macchanger, that we have to use to bypass MAC authentication in WEP scenario with MAC filtering). What we have done below, is that we have changed the MAC address of our Bluetooth dongle (hci0 device) to the one, we have found using btscanner. We have also changed the name of the Bluetooth device to 'LAB'. This is the one I am using locally in my Bluetooth pairing setup between two smartphones.


Success! Right now, we have cloned the Bluetooth setup of one of the clients involved in Bluetooth smartphone-to-smartphone communication. It allows us to communicate directly with the other device from a Bluetooth pair. Of course, we need to make sure that the legitimate device, whose credentials we have spoofed, disappears from the network. It might take time in real life and we would have to wait until a user goes away from range of Bluetooth, or disables the Bluetooth service on his device.