BlueSpy
BlueSpy was developed to record and replay audio from a Bluetooth device
without the legitimate user’s awareness.
The PoC was demonstrated during the talk BSAM: Seguridad en Bluetooth at
RootedCON 2024 in Madrid.
It’s designed to raise awareness about the insecure use of Bluetooth devices,
and the need for a consistent methodology for security evaluations. That’s the
purpose of BSAM, the Bluetooth Security Assessment Methodology, published by
Tarlogic and available
here.
This proof of concept exploits the failure to comply with the BSAM-PA-05
control within the BSAM methodology. Consequently, the device enables the
pairing procedure without requiring user interaction and exposes its
functionality to any agent within the signal range.
Requirements
The code is written in Python and has been tested with Python 3.11.8, but it
mainly uses widely available tools in Linux systems.
The PoC uses the following tools:
bluetoothctl, btmgmt, pactl, parecord, paplay
In Arch Linux distributions, bluetoothctl and btmgmt can be installed with the
package bluez-utils, while pactl, parecord and paplay are available in the
libpulse package.
For the PoC to work, it is necessary to have a working installation of the
BlueZ Bluetooth stack, available in the bluezpackage for Arch Linux
distributions. A working installation of an audio server compatible with
PulseAudio, such as PipeWire, is also required to record and play audio.
Setup
Ensure that your device is capable of functioning as an audio source, meaning
it has a microphone, and that it is discoverable and connectable via
Bluetooth.
For instance, to be discoverable and connectable, the earbuds used during the
talk must be outside of their charging case. By default, they only activate
the microphone when placed in the user’s ears, although this setting can be
adjusted in the configuration app.
Additionally, ensure that the device is not already connected, or
alternatively, that it supports multiple connections.
Execution
Firstly, the address of the device must be discovered using a tool such as
bluetoothctl:
$ bluetoothctl
[bluetooth]# scan on
Once the address of the device is discovered, the script can handle the rest:
$ python BlueSpy.py -a <address>
Note: The script might prompt for superuser permissions to modify the
configuration of your BlueZ instance and pair it with the remote
device.
Troubleshooting
BlueSpy.py is the main script that executes every step of the process.
However, if you encounter issues with any of the phases, so it might be
helpful to execute them individually:
-
pair.pyutilizes the command-line toolbtmgmtto modify the configuration of
your BlueZ and initiate a pairing process with the remote device. The exact
commands used are in thepairfunction insidecore.py. -
connect.pyutilizes the command-line toolbluetoothctlto initiate a quick
scan (necessary for BlueZ) and establish a connection to the device. The
exact commands used are in theconnectfunction insidecore.py. -
just_record.pyutilizes the command-line toolspactlandparecordto search
for the device in the system’s audio sources (it must function as a
microphone) and initiate a recording session. The exact commands used are in
therecordfunction insidecore.py. -
The
playbackfunction insidecore.pyexecutespaplayto play back the
captured audio.
If you encounter issues with any of the phases, examine the commands in
core.py and try to execute them in a shell. This will provide more information
on what may be failing.
Download
