Bluetooth Low Energy devices like smart watches,
“wearables,” give you up all day.
My new neighbor was using AirDrop to move some files from his phone to his iMac. I hadn’t introduced myself yet, but I already knew his name. Meanwhile, someone with a Pebble watch was walking past, and someone named “Johnny B” was idling at the stoplight at the corner in their Volkswagen Beetle, following directions from their Garmin Nuvi. Another person was using an Apple Pencil with their iPad at a nearby shop. And someone just turned on their Samsung smart television.
I knew all this because each person advertised their presence wirelessly, either over “classic” Bluetooth or the newer Bluetooth Low Energy (BTLE) protocol—and I was running an open source tool called Blue Hydra, a project from the team at Pwnie Express. Blue Hydra is intended to give security professionals a way of tracking the presence of traditional Bluetooth, BTLE devices, and BTLE “iBeacon” proximity sensors. But it can also be connected to other tools to provide alerts on the presence of particular devices.
Despite their “Low Energy” moniker, BTLE devices are constantly polling the world even while in “sleep” mode. And while they use randomized media access control (MAC) addresses, they advertise other data that is unique to each device, including a universally unique identifier (UUID). As a result, if you can tie a specific UUID to a device by other means, you can track the device and its owner. By using the Received Signal Strength Indication (RSSI), you can get a sense of how far away they are.
That information can be used, for good or ill, to generate movement data about the people who carry those devices—and to watch for devices that appear when they shouldn’t. “I have an alert set up for when my mother-in-law’s car pulls into range,” Pwnie’s Rick Farina told Ars, as he gave us a walk-through of the tool. “It gives me about a 30-second warning.”
I installed Blue Hydra by “cloning” its Ruby code from its GitHub repository on an older MacBook Air I’d configured with Kali GNU/Linux “Rolling” (64 bit), a security-testing-focused version of Debian, and a SENA UD100 USB Bluetooth adapter. Blue Hydra will work on other Debian-based distributions, and it’s even pre-installed as part of the current release of Pentoo (a security-focused live CD version of Gentoo Linux). Pwnie Express has also packaged Blue Hydra for use with its line of sensors (though not with the PwnPhone), and it can be integrated with the company’s Pulse security monitoring and auditing service.
There’s not much to Blue Hydra’s user interface—it’s a terminal screen with a columnar layout. But Blue Hydra also can log its raw detection data and record in-depth information about detected Bluetooth devices in a SQLite database for later review. It also produces a standard text log file and can be run as a “daemon” in the background to simply stream data to the database and log output for processing (by Pulse, another security event information management system, or your own eyeballs or code).
While the RSSI for a normal Bluetooth or BTLE device won’t produce an actual distance away from the Blue Hydra sensor, the tool will give range information on “iBeacons”—the Bluetooth standard developed by Apple (and supported by Google) for allowing mobile applications to act on a user’s proximity to the beacon.
Retailers have begun to use BTLE iBeacons to push advertisements and offers to customers using mobile apps based on their location within a store, for example. And iBeacons could also be placed on items to track their movement within a store—to alert salespeople when someone picks up a display shoe or to show when something appears to be walking out the door. But it’s easy to spoof iBeacons, as Alasdair Allan and Sandeep Mistry demonstrated in an article in Make documenting their hack of a CES iBeacon scavenger hunt two years ago. There are simply a number of potential security and privacy problems that could spring from iBeacons.
I detected a single iBeacon during my test drive of Blue Hydra—I did take it for a wardrive with my lab assistant (aka my son) holding the MacBook as we cruised down a local street lined with retailers. We did, however, detect plenty of everything else. Over the course of a 10-minute circuit from our lab, we recorded more than 350 unique Bluetooth and BTLE devices. Future projects will definitely include an early warning sensor for my driveway to detect incoming visitors.