Inspiration

Some cooperate environments have no need for Bluetooth and therefore see it as an unguarded attack vector. There are many great tools in the area of Bluetooth forensics, such as as the well known Wireshark. These tools are irreplaceable when it comes to digital forensics, but few take the active approach necessary to prevent attacks. This is where WhiteTooth comes in. WhiteTooth discovers every Bluetooth device in its' range and aggressively pairs with it. Most Bluetooth chips only support up to seven connections in master mode, and one connection in slave mode. WhiteTooth de-access points (theoretically) hold as many Bluetooth adapters as possible. They leverage these adapters to max out the number of connections for any device in their range, effectively nullifying Bluetooth communications. In addition to owning the pairing network, WhiteTooth comes with a Bluetooth network monitor securely stored on the wifi's LAN network. Emails are also sent for urgent notifications (such as someone's phone or laptop clearly identifiable and pair-able). There is also a Denial Of Service feature (it only works contitionally.)

What it does

Aggressively attempts to pair with every device within it's range so that potentially malicious devices will not have anything to pair to or any free connections to pair from. It also contains a Bluetooth network monitor on hosted on the LAN wifi network that only hosts with the secret context key can access. There is also a special Denial Of Service attack that can be selected from the web GUI that utilizes all Bluetooth adapters on the Whitetooth de-access point. This attack is not effective with a standard integrated and USB Bluetooth chips. If you want real results, use industrial grade Bluetooth adapters. (As of now the version contains a blacklist of Bluetooth MAC addresses that it can affect, as there are too many in the area of Bitcamp to control with our laptops.)

How we built it

Using mostly Python3 for controlling the files and web UI. There is a bit of JavaScript and HTML of course, as well as several subprocess calls to Linux Bluetooth tools (Bluez related such as: hcitool, hciconfig etc.)

Challenges we ran into

Spamming Bluetooth requests aggressivley is not a challenge. Our real problem was the hardware. We, like most people posess mostly master devices (devices that want control of the Bluetooth sockets they participate in) such as phones, tablets, and other laptops. Our only slave, my Bluetooth speaker, died about a quarter of the way through testing, so our tests were made on unfriendly master devices that require user consent to pair with a device without a direct request from the user. While this is good for users, it does not reflect what our true targets would be, malicous Bluetooth devices, most of which either lay dormant, spoof and wait for a connection, or actively try to pair with other devices. In two of the three cases enumerated Whitetooth would have an easier time nullifying a malicious device rather than a non-malicious one. This process made testing much slower.

Accomplishments that we're proud of

The web UI, the aggressive pairing, and the exensability for more adapters and higher quality ones.

What we learned

A lot about Bluetooth. A lot about how insecure it is. A lot about how much people don't know about it. And a whole lot about how many Mac users leave their laptops open for pairing and file sharing. :)

What's next for Whitetooth

Much more testing. Likely automated spoofing for the Bluetooth classes as some devices do not want to pair with a laptop class. More threading and other IO tools. Completely change the way we do scanning. Confirmed LE support (I think it may work already). Hidden Bluetooth scanning and pairing as well.

Share this project:
×

Updates