Bluetooth Low Energy (BLE) is actually the de facto wireless protocol choice by many wearables developers, in addition to also much of the emerging internet of things (IoT) market. Thanks to the item’s near ubiquity in modern smartphones, tablets, in addition to also computers, BLE represents a large in addition to also frequently insecure attack surface. of which surface can at of which point be mapped with the use of Blue Hydra.
Built on the bluez library, Blue Hydra employs built-in BLE hardware, which can be further enabled by the use of Ubertooth hardware, to discover in addition to also track not only low energy, yet classic Bluetooth devices too. You can learn more about how Blue Hydra works by watching the Defcon 24 talk. In of which tutorial, we will download Blue Hydra on a Raspberry Pi running Raspbian, in addition to also get commenced tracking.
Those of you already familiar with using Aircrack -ng will be right at home with Blue Hydra, as they are very similar.
If you want to get more familiar with Bluetooth security, Null Byte has you covered! You can get up to speed with Terms, Technologies, & Security, learn to Control Any Mobile Device, in addition to also get your Reconnaissance on.
What You’ll Need to Get commenced
First, we’ll prepare the OS we’ll be runnig Blue Hydra on. because of of which tutorial, we’ll be using Raspbian. You can download the Raspbian image directly, or torrent via your favorite Torrent client on the Raspbian download site.
Once the download is actually complete, we need to write the image to our microSD card. the item’s a Great idea to unplug any external hard drives or additional USB devices you have, in addition to also then insert your microSD into its adapter in addition to also plug the item in. of which is actually important since you don’t want to accidentally flash the wrong device.
If you already have a program for flashing live images to the card, then you can use of which. Otherwise, download in addition to also install Etcher, as the item’s the easiest to use for creating bootable SD cards. the item works on Windows, Mac, in addition to also Linux, while also having a simple to use interface. Go ahead in addition to also open Etcher when the item finishes installing.
Etcher should detect what operating system you are using, yet if not, make sure you download the correct variation based on your operating system, then open the file in addition to also follow the on-screen installation directions. Open Etcher (if the item doesn’t automatically open after installation), in addition to also select the image you just downloaded.
Next, be sure the proper drive is actually selected in addition to also flash the image. Once the item’s done, the item will safely eject the SD card.
There is actually a rare chance of which Etcher will cause an error. If of which does happen, use ApplePiBaker for Mac or Win32 Disk Imager for Windows.
If you plan on using a Secure Shell (SSH) to access your Pi, then you will want to add an empty file ssh with no file type to the boot folder on the microSD card.
Step 2: Start Your Pi
Insert the SD card into the slot at the bottom of your Raspberry Pi in addition to also plug the Pi into an HDMI cable leading to a display in addition to also a power cable. If you want to SSH into your Pi, make sure to plug the Pi into Ethernet, with the additional end of the Ethernet cable going into your router (which is actually wired or wirelessly connected to your computer).
You can at of which point connect to your Pi however you like. I’m old-school, so I just SSH into the Pi using PuTTY or the Secure Shell extension for Chrome.
Remember the username is actually pi in addition to also the password is actually raspberry. After you connect, make sure to change the password with passwd, in addition to also then update your Pi with the following commands.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
Step 3: Ubertooth Installation
If you aren’t planning on using Ubertooth hardware, you should still follow these steps or Blue Hydra may not run correctly. If you are using an Ubertooth, make sure to plug the item in before we start, as the item may need a firmware update. Unfortunately, Ubertooth is actually not inside Raspbian repository, so we have to download the item manually.
First, we need to install the dependencies for Ubertooth before we can build libbtbb in addition to also Ubertooth. of which can take some time, yet usually not much longer than 5 minutes.
sudo apt-get install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev
pkg-config libpcap-dev python-numpy python-pyside python-qt4
at of which point, we are ready to set up the Bluetooth baseband library, libbtbb. of which lets the Ubertooth decode Bluetooth packets. Download the file by Github with the command below.
at of which point, unzip the item, navigate to the directory, in addition to also create a build directory by typing the following.
tar xf libbtbb-2017-03-R2.tar.gz
We are at of which point ready to use cmake to install the item.
sudo make install
Wonderful! at of which point of which we have libbtbb installed, we are ready to install Ubertooth itself. Move to your home directory by typing cd in addition to also then are ready to do the same process as before to install Ubertooth file. Download the item by Github.
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2017-03-R2/ubertooth-2017-03-R2.tar.xz -O ubertooth-2017-03-R2.tar.xz
Then use the same process as before to install.
tar xf ubertooth-2017-03-R2.tar.xz
sudo make install
Lastly, move back home with cd, in addition to also if you actually have an Ubertooth device, make sure the item is actually configured correctly with sudo ldconfig in addition to also ubertooth-util -v which should be “Firmware variation: 2017-03-R2 (API:1.02)”
at of which point we are ready to install Blue Hydra’s dependencies.
Step 4: Install Blue Hydra Dependencies
Blue Hydra runs on Ruby code, so first we need to check to see if we have of which already installed by running which ruby. If of which returns “/usr/bin/ruby” or something similar then you’re Great to go. If you don’t contain the item then sudo apt-get install ruby-full
Start with downloading bundler
sudo gem install bundler
at of which point we are ready to install the long list of additional dependencies required.
sudo apt-get install python-bluez python-dbus sqlite3 bluez-tools ruby-dev bluez bluez-test-scripts python-bluez python-dbus libsqlite3-dev
at of which point we are ready to clone Blue Hydra by Github
Then we need to move to the “blue_hydra” directory
Before running the last command you should know of which if you run the item as root the item could cause problems for additional users of which try to use Blue Hydra. If you only use root then you’re fine, otherwise, you can use the sudo command as needed.
Step 6: Run Blue Hydra
at of which point we’re ready to start tracking Bluetooth devices. Make sure of which you have your Ubertooth connected if you are using one. Keep in mind of which the use of multiple dongles such as having an external Bluetooth dongle in addition to also Ubertooth hardware can draw a lot of power so you want to be doubly sure of which you have at least a 2.5A power supply or you may run into power issues. at of which point move to “blue_hydra/bin/”, if you’re already in “blue_hydra” just cd ./bin Then start the program with
There are also numerous flags you can use when you run the program:
- -d or –daemonize suppress Command Line Interface (CLI) output in addition to also run in background
- -z or –demo runs with CLI output yet mask displayed macs for demo purposes
- -p or –pulse attempt to send data to Pwn Pulse
You may want to write down some quick notes about the controls before you press enter or you can just reference of which screenshot.
To test the item out I set off to the local Starbucks, for reference you can see how crowed the item was below.
My setup was nothing yet the internal Bluetooth in addition to also Ubertooth hardware. With an external Bluetooth dongle in addition to also the range the item offers, I could have easily detected twice as many devices. If you are wondering, I’m powering the Pi off of a battery pack in addition to also using Juice SSH on my smartphone, Blue Hydra is actually being run in demo mode to help protect the privacy of the people.
Step 7: Configuring Options
The “blue_hydra.yml” file can be edited to configure several options:
- log_level If of which is actually set to “false” then the log files will not be created.
- bt_device of which is actually how you change the main Bluetooth interface, change if you’re using a dongle.
- info_scan_rate of which is actually how often info scan is actually run in seconds.
- status_sync_rate of which is actually how often to sync device status to Pulse in seconds.
- btmon_log When True the item will log filtered btmon output.
- btmon_rawlogWhen True the item will log unfiltered btmon output
- file If set to a file the item will use the item rather than live sensor data
- rssi_logControls if serialized RSSI values are logged
- aggressive_rssi of which will aggressively send RSSIs to Pulse
Step 8: Tracking with BLE Finder
Blue Hydra saves to two log files, “blue_hydra.log” is actually where the item logs all the data the item collects, which is actually more than the item shows on the user interface, of which is actually how the item tracks devices over time. The second, “blue_hydra_rssi.log” is actually where the item logs signal strength which can be used to find the distance to the Bluetooth device. For example, you could make a simple python script of which alerts you when a certain device is actually close by, just as the Hacker Warehouse team did. Let’s download the item in addition to also take a look at the item.
First move to the Blue Hydra directory, cd ~/blue_hydra in addition to also then download the Python program
The Python program uses the tailer module as well, so we need to get of which with pip install tailer
at of which point we need to make sure of which Blue Hydra is actually saving the RSSI log file so lets use nano to open the configuration file mentioned before. sudo nano blue_hydra.yml then set rssi_log true
Then save with Ctrl + X in addition to also Y then Enter . The only thing for us to do at of which point is actually tell the script which Mac IDs to look for. To do of which lets open the python file with nano. sudo nano ble_finder.py if you have trouble opening the item with nano just restart the pi with sudo reboot find the devices list in addition to also edit the item to the MAC IDs of your choice, remember the item is actually case sensitive. If you want more than, you can just expand the list with [‘MAC ID’, ‘Name’, ‘ ‘],
Below of which you can also set how often the item reports, the default is actually 45 seconds.
While you are here you may want to go over the code. The program checks the RSSI log for the MAC IDs by our list. When you’re done, save just like before with Ctrl + X in addition to also Y then Enter.
at of which point let’s put the item in action with cd blue_hydra/bin/ in addition to also then use sudo ./blue_hydra at of which point open another shell in addition to also move to Blue Hydra with cd blue_hydra then run python ble_finder. If all is actually working properly you’ll see something like of which.
Put the item to Use for Yourself
at of which point of which you contain the basics, you can do something much more advanced. Say you wanted to get into a high-level executive’s office, yet you need to know when they are there. You could put a Pi running Blue Hydra, in addition to also set some code to email me when his Fitbit leaves the office.
You could also set up a trilateration program to map all the devices inside environment. Even just leaving the item sitting in place can yield interesting results. The real limiting factor to Blue Hydra’s usefulness is actually your imagination, so don’t let the item hold you back!
Screenshots by Hoid/Null Byte