Bluetooth Warwalking: Hacking Devices Around You with Just Your Phone

All right, my name's Matt. I'll be talking to you about Bluetooth today. So, let's get into it. Uh so, my name is Matt, aka Knockout. It's my handle. Uh I'm originally from Virginia. I now live in California, but I do spend time out here in Utah. I built my first website on GeoCities. Anybody else? Yeah. Okay, makes me older than I look. Um and most importantly for this talk, I'm not a Bluetooth expert. So, um just keep that in mind. This all started out of like curiosity and like learning about this and I've I've dove down a rabbit hole that has taught me a lot about the world around me. So, um just keep in mind that this is a you

know, not going to be super super technical, but I think it's accessible to everybody that's listening right now. >> [snorts] >> So, my journey with Bluetooth started with this TikTok. I cannot seem to find the actual video of this TikTok anywhere anymore, but um the idea was this guy found out that at every Mattress Firm in the country, they were releasing a bed model called the Pro Smart Bed Base. And there was a Bluetooth speaker in the Pro Smart Bed Base that you could connect to without authentication. And you could control the volume and the contents from your phone and that was the only way you could control it and the only way to stop it was to unplug

the bed. So, it's a weird thing. We had to unplug the bed to stop it. So, he was going into Mattress Firms and kind of creating a little bit of chaos and then sort of challenged the world to also create chaos. I'm guessing that TikTok doesn't exist cuz he maybe got into a little bit of trouble by saying that, but >> [snorts] >> anyways, in my hometown of Walnut Creek, there happens to be a Mattress Firm. So, I was like, well, let me test this hypothesis. So, I walked [snorts] in and sure enough, I opened up my phone and this is the Bluetooth menu. Um there was a lot of Pro Smart Beds in that and

so, I clicked on one and I connected. So, okay, here we go. So, let me see. I don't know if this will play or not. Let's see if it will. Where's that cursor?

I hope you can hear that.

So, I successfully sort of I guess you could call it hacking a a bed base. And so, that started me on my path of Bluetooth war walking. That was the inception of my fascination. So, just as a level set, Bluetooth war walking as I consider it is walking through public areas with just your phone scanning for open Bluetooth connections. And there's no special gear, just curiosity required and a pair of sneakers. So, in that case, all I needed was my phone and that was it. Like nothing nothing else beyond that. Some of you may have heard of war driving. That's sort of the more common term and some pretty cool people doing stuff in that space. I'll talk about later.

Um but this is just literally me walking around with my phone. Um so, let's get into some of the practical exploitation that exists out there. Um [snorts] so, I was at a cafe doing my homework. I'm a I'm actually currently a data science master's student and uh I was doing my homework and I was kind of getting bored. So, I was like, I'm going to take a break and I opened up my phone again and looked at the Bluetooth menu and I saw this, the TM-M32. And I was like, I don't know what that is. Clicked on it, connected. Cool. Let me Google this and see what this is and it turns out it's the Epson TM-M32

thermal receipt printer. So, I was like, okay, that must be the receipt printer behind the counter. Um let me Google it even further and it turns out there is an app and in that app, it's kind of hard to see maybe here, but there are options to print a sample receipt. You could edit the receipt and print. So, I locked in on that option and I edited a receipt. So, it turns out you can actually print images off too. So, I got this picture of myself uh and but before I printed it, I was like, you know what? I I let me mess with them a little bit more cuz they'll know who it is if I print this off. So, I noticed I

know the owner of the cafe and I kind of explained it to him and and then I I he hires like local high school kids to be baristas at this place. So, I was like, why don't I like mess with them a little bit. So, this is the first thing I sent off. If you can't read that, it says, "My name is Jackson Fellini and I am from the year 2036. Recent technological breakthroughs have allowed me to communicate with your time. Now to confirm how to Now to figure out how to confirm whether this has been received." Uh the look of shock and excitement and terror on these kids' faces was hilarious. I took my headphones out. I

heard them speaking amongst themselves. I even heard one of them go like, "Yeah, I think like maybe with AI or something like in the future." I'm like, "Cool." About 5 minutes later, I printed this off and I saw them all freak out again. And then it turned out I I learned that like as I walked by this place on my way to work, Bluetooth has about a 33-ft span or a range to connect to devices. And so, I figured out that I could connect to it from the sidewalk outside the cafe as I was walking by on my on my way to work. So, on my way to work, I would send stuff like this. Um

and to this day, I don't know if the owner ever told the kids um and so, there might be some kids walking around Walnut Creek, California that they think they've you know, been communicating with time travelers or something. So, this is all fun and games, but as you can imagine, there could be some real problems with doing this. Like I could print fake refunds and go back and and get, you know, um you know, money back. I could generate fake drink tickets and get free drinks. General operational chaos could happen. Like I could like kind of DDoS this printer and just keep printing things and and creating, you know, issues. And again, zero technical knowledge

required here. I I Googled the name of the thing on my iPhone. I downloaded the app and that's it. Case in point, [snorts] I have an Epson TM-M32 printer right here on the stage that is on. And if you want to try it, try to connect to it and try to print something. I will within reason, I will read out whatever you guys print on this thing during the the rest of this talk. Um keep in mind that it only allows for one connection. So, if you do get on it, you know, um maybe disconnect from it afterwards if you want to print something off so other people can check it out. There's a really [snorts] easy way to like learn

how these things And you'll see actually this this printer is a very very common printer. I've seen it in many other locations around the world. So, um So, that was like interesting. So, I had this like Mattress Firm experience and I had this and I was like, okay, this is this world's a little bit too open. And so, next the next thing that I I ran across was this. I'm sure there may even be some of these in this building. They're everywhere, these Samsung TVs and they show up. You can connect to them. It's like Samsung TV like this. Um this is a smoothie shop right next to my work as well. I know kind of the

people there and they were opening up one morning. I was like, let's see if I can like just sort of mess with them a little bit in the morning and as you can see maybe on the left screen there, I tried to connect to one and it gives you this like pairing dialogue which you probably seen on on like maybe TVs in your own house where it says pair or cancel. You have to hit it on the remote. So, I was like, okay. Well, unfortunately, I don't think I'll be able to connect to this TV which was good. Kind of showed me that there was a little bit of like security in these things. Uh but then I had an idea.

Flipper Zero. So, if you all know what a Flipper Zero is or don't know what a Flipper Zero is, it's a little hacker device. It's got all sorts of on it including an infrared um sort of remote um emulator, I guess you could say. The firmware that I use By the way, the thing on top of it, I bought at DEF CON last year. It's like extends the IR range. So, I didn't have to be sitting close. I could be like kind of far away. And the firmware [snorts] that I use on this device um is a has a Samsung universal remote in it. So, I was like, I wonder if I can just hit the enter button from the the

Flipper Zero. And sure enough, it paired me with the TV. So, now I'm on the TV. I'm like, okay, cool. But again, [snorts] I had a problem. This as you can see and I was being very like secretive and covert obviously. So, it didn't create the best pictures for you guys. But um it's an audio player. So, Samsung has like I guess an audio. You can sync your audio with the TV and that's it. So, it's sort of like a a music player on there. Um so, of course, I played Smash Mouth and called it a day. Uh and I was kind of like bummed. I was like, okay, well, I thought it would be better if I

could have like connected and controlled the display of the monitor. Um but unfortunately, uh that that didn't work. So, again, I was sort of impressed by the Samsung. It was a little bit easier to hack than like receipt printer or a bed. And so, that [snorts] was sort of my the completion of my work with the Samsung TV. But wait, one more thing. Do you like my AI by the way? That's my face on Steve Jobs' body. Um I found out that if you are at a bar in Chicago for example, and you ask the bartender for the Wi-Fi, if you're on the same Wi-Fi network as a TV, you can do a takeover of the video

display. So, >> [music]

>> that TV that that bar is full There's all Samsung TVs. So, I could have taken all over all of them. Um So, again, this is Let me get back over here. Oops. The attack chain here. Again, not super super technical, a little more, but not super technical. Uh phone, Flipper Zero, and a Wi-Fi password. That's it. Could take over the displays basically anywhere. These Samsung TVs are everywhere. Uh I was just playing some David Letterman clip that I had on my phone or something. But as you can imagine, you know this could be very dangerous for a business. Obviously, someone could just, you know, hijack the display. You can only imagine the things they could play. I was uh

it's a good thing I'm a nice guy, I guess. Sometimes. Um uh but the most important thing here is that like again, this is a Samsung. This is a major company and they do not have authentication required. There's like that pairing thing, but it's really not a hard thing to get past. So, I'm I'm very shocked about I was very shocked about that as I've kind of gotten deeper and deeper. Even the bigger companies have a lot of these like holes in their offering or that you know, in the security of their um their Bluetooth connections. And so, I I I started to look like a little bit more wider at all of the Bluetooth connections out in the world.

Uh and before I get into the actual war walking, I I want to give you a little bit of a technical background on on the ESP32. Um this is the chip behind most Bluetooth devices. In fact, that dongle that we all got when we came into the conference that you're doing again that's that has an ESP32-S3 chip in it. So, they're very very common. Um This uh for example is it's they're they're very small. They're like maybe the size of like my thumb or something. This one is a full circuit board with a um USB-C powering and a a chip on it that can broadcast and detect Wi-Fi and Bluetooth and can you can hold it in the

palm of your hand. Um it's used in most of the the big ones are created by a company called Espressif Systems out of Shanghai. They claim to be in over a billion devices. So, all like the maybe general IoT devices that you have in your home, maybe that are cheap that you got off Amazon, um probably use this chip. Um they're about $3 to $5 a chip. So, they're very cheap, very easy to put um Bluetooth and Wi-Fi capabilities into device. And as you can imagine, a lot of these companies are not Bluetooth experts themselves. So, um it kind of creates an issue where you've got all of these devices going out in the world, uh but they're not secure

from the Bluetooth perspective. Um this includes like smart door locks, air purifiers, smart plugs, all sorts of things. Um it should be noted that's uh companies like Apple and Samsung do not use the ESP32. They have their own like secure way of doing things, but this chip is the one that's like all over the place. And we'll talk a little bit more in detail in a in a second about, you know, kind of what that means for the the world. So, now I had all this information. Uh I saw some exploits. Now I was like, well, how many of these are out there? I started to understand that this chip is everywhere. So, I got into what's called

war walking and this is going around and passively scanning the environment around you to find devices that are broadcasting Bluetooth around you. >> [snorts] >> Um I created this rig. Uh this cost me about $100 total to do. In fact, I have it. I have it right here. It's actively scanning the room. Uh don't worry, it's not like doing anything to your devices, but it is picking up Bluetooth devices in the room. Um it runs So, So, basically what all it is is a Raspberry Pi um with a GPS dongle uh and then just a attached to battery. Uh the software that runs on it is called Kismet. It's a great piece of software. I think it's been around about

15 years. Um I've become friends with the the guys who created it, Dustin and Dragor. I met them last year at a conference and have contributed some code to their code base as well. Um so, it's a really cool community. If you guys are interested in this, they're they're really welcoming and people really they they have like a Discord that's great as well. And it's sort of out of the box. It's very easy to install. Uh it comes with a interface that shows you all the devices that are around you and lots of different information about those devices. And [snorts] just to give you an idea of what gets broadcast on a Bluetooth packet. On the left side of this um

slide is basic the basic Bluetooth packet. So, MAC address. So, if you're not aware of that is, that's that's basically the name of the device. Um it's not human readable name. It's, you know, numbers and letters, but um it is the essentially the the machine name of the device. Um flags, device name. So, Matt's iPhone. If you have like a name for your device, it'd be something like that. Manufacturer data. And then the right side is basically what Kismet layers on top of that. So, that's the timestamp you saw it, the coordinates of where you saw it, the strength of like how close it was to where you were when you saw it. Uh and so, what I did is I

put Kismet on this device. I have a If I turn the hotspot on on my phone, it connects to a Tailscale VPN mesh network and syncs all of my data back to a home server. So, I've been war walking [clears throat] with this thing all around the world this past year. I've been very fortunate to do a lot of travel and I've been had it with me and now I've got all this like centralized data set um back home, which, you know, for the data nerd me is is really cool. Um so far I've collected over 1.3 million observations of devices and that equates to 881 unique devices in 21 cities. And I and and it's been collected since

November of last year. Uh some like interesting numbers that I've come across is so, only 4% of devices broadcast had a human readable name. Meaning like, you know, Matt's AirPods, Matt's iPhone, you know, the Whoop fitness tracker, any of those types of things, which is pretty good. I mean, I I guess that that is somewhat what of security through obscurity, but the problem with that is that 60 to 65% of all devices have a persistent MAC address. So, like I said earlier, the MAC address is sort of the machine readable name, but in essence, it's the name of the device and it's static. So, it's the same anywhere you go. So, in theory, that makes you very very trackable if

someone is like following that MAC address around. To give you an idea of the scale, um in a 0.2-mile walk to the grocery store from my apartment, I picked up 1,300 Bluetooth devices. And that's in like a suburb of San Francisco. Uh I've, you know, gone through Times Square with this thing and picked up tens of thousands. Uh so, there's tons of devices no no matter where you are, which was kind of eye-opening to me. A couple fun facts. Um here are some of the things random things that I've picked up in my data set. Bunch of Oura rings. Uh Rivian phone keys I guess broadcast something on a regular basis. Was in Vegas, 78 slot machines have

Bluetooth. I I don't really know what that's for. Um I was in Nashville giving this talk last year and did a little war walk through my hotel the night before and three people had CPAP machines. I guess that blew broadcast Bluetooth for some reason. Um and there's another one called the Molekule air purifier. It's a Bluetooth connected air purifier that that broadcasts 50 packs a minute packets a minute. I don't know why that would be. I don't know why you this thing would have to constantly be broadcasting into the air. Um that's 38,000 packets in 12 hours. It's crazy. And I guess this is a pretty popular in San Francisco cuz I see them all over

the place. Um so, that there's a lot of other stuff within that. You know, like I took it on the mountain in Park City and found all these cool like skiing Bluetooth device things and stuff. Um and and what I'll show you right now is very quickly is um you'll see in fact, I've got This is actually right now. This is this thing running right now connected into my my uh Kismet device. Um I'll I'll run a script real quick and we can look a little bit more into what's going on in this room.

Oh. Got it. Why? Okay. Anybody know how to Anybody know the macro to minimize it? There There we go.

This is a script I built. Oops, sorry. This is a script that I built that like kind of goes into the device. And this is just from turning this on since I've been uh here. Got some Flippers. Apple Pencil. Okay. Uh There's there's there's the printer that's sitting up here. Tablets phones. Logan, I see your S24 Ultra. Cato, I see your iPhone.

So, this is all just information just from like the last 10 15 minutes. So, you can imagine what it's like elsewhere. And then I also created this This is my home central server that shows all of the things and you know, 1.3 million devices. So, So, What's that?

Let's try it. There we go. Oh god, here we go. >> [laughter] >> Oh, I've got a Jason Fraley, is that you? It's not me, but it is another name you used for your fake travel. Oh oh, Jackson Fellini. But anyways, this is his LinkedIn profile picture. So, >> [laughter] >> that's a good one. I haven't seen that one yet. Okay. Back to it. So, as you can imagine, there's privacy implications around this. You know, it's a little bit scary to see that your device is just broadcasting and anybody can see it. Uh and I I do want to uh say that there are some people doing it right and one is Apple. Um Apple does a

great job with their devices. So, only 0.42% of my data set is Apple devices. Why would that be? Apple devices are everywhere >> [snorts] >> of the trackable data set that I have. Um Apple rotates their MAC addresses every 15 minutes. So, they're not static. And they've got this system they call resolvable private addresses. So, once you make a Bluetooth connection with a device, it sort of creates like a a unique handshake between them and then can get rid of the MAC address. The MAC address is usually what's making these connections between Bluetooth devices, I believe. Um and so they do a great thing. So, there's a a known pattern that can really help with privacy that a lot of

people aren't implementing. Um but Apple is obviously um doing it right and spent a lot of time on that. >> [snorts] >> Um most IoT is not doing it right, as you can see. Um the MAC addresses will be static forever. The device name will be broadcast in plain text, no authentication. They're just like the air purifier just broadcasting packets non-stop. Um and I'll I'll show you case in point. I have this Whoop fitness tracker that just tracks you know, heart rate, all that kind of stuff. Okay, here we go. >> [laughter] >> It's up. Um I'll get back to you in a second. Okay. Uh So, my Whoop uh has been with me. And

obviously, I know where I've been, but I'm going to use the data to show you where I've been. Um these are all the cities I've been to in this past year. Again, like I said, I've been able to travel a lot, which has been great. Um and this is just the data. I just I had a script to like pull this stuff out rather than me write it down. Um this is a single day in Las Vegas. It knew exactly where I was cuz I was going around. Um the scary part about this to me is that it takes about $10, maybe a little bit more, but these these ESP32 chips are cheap. You can plug them into a

battery. Uh no code is really needed anymore if you use cloud code to like write the firmware. Um and what's keeping anybody from creating almost like a surveillance infrastructure? Uh you could very easily do that. And case in point, uh it's already being done. So, um I have some friends that work in the space uh and they couldn't tell me details, but then I did some research, you know, they're under NDA. Um but these major companies, Macy's, Walmart, Target, they've sort of said that they do this. Um it's totally legal to passively scan this, and so they'll have beacons around stores. Well, and they'll understand your patterns walking around the store, how long you're at

certain thing. Um and then be able to maybe broadcast push notifications of certain things to your device um to invisibly kind of have really deep insight into the um patterns of their consumers. So, it's not theoretical. Um this is actually happening out there. >> [snorts] >> Um and what what we can actually do. There are some things that we can do. It depends on how paranoid you are. I mean, obviously, you can use a Faraday bag on your device or something like that, but um in general, you know, I suggest that you just you take a look around um at you know, know what's being broadcast around you first off. Um turn off Bluetooth when you don't

need it. A lot of devices like a a great example is like a speaker should have to go into pairing mode before you pair with it, but a lot of devices don't do that. As you can imagine, just like literally your um the surface like in your home, if someone's sitting outside your home, they can see if you have a CPAP machine. That tells a lot that tells someone a lot about you from like an OSINT perspective. So, just being aware of the things that are broadcasting and sort of the manufacturers that you're using is important. Uh prefer manufacturers that rotate MAC addresses like um like Apple. I know in a room of hacker uh hackers, I know

Android uh a little bit more commonly used, but I would say that it's important to understand uh sort of how these things are being broadcast. And uh if you have a business, just maybe do a war walk around your your building and get to understand what your attack surface is. I was actually just talking to a guy yesterday. Uh I did this talk yesterday. This guy from the DOD, and he was saying that in the Department of Defense, they're not allowed to have any sort of Bluetooth. And so, they have these scanners running within their buildings that do this um non-stop just to understand if anything comes in. You know, if it's a hearing aid, they have

exceptions for that, but outside of that um you know, it's kind of an important uh thing to do. Uh so, most importantly, if you get if I can do this not a huge expert in this. I'm getting to learn it more, but I'm not a huge expert. Uh if I can do it, anyone can. Uh and here are some resources on my website mattmiller.ai, which is also like my handle on all social media. There's some scripts on there. Um if you do decide to run Kismet, uh you can take some of the scripts that I've created to do some data analysis. Kismet itself is great, very easy plug and plug and play to install. Wigle, which I

didn't have time to talk about in this talk, is something you should definitely check out. It's basically a crowd-sourced version of what I'm doing. So, there's billions of Wi-Fi networks and and Bluetooth networks that have been crawled and sort of crowd-sourced into one central location. And then of course, Flipper Zero is a great tool as well. Uh everything that I've done on today for this talk has been open source. So, it's all available to you all um including, you know, you can buy the the equipment to make your own rig. And finally, this is uh just an idea that I have is um at DEF CON this year, if you if any of y'all go to DEF CON, um every other year

is an electronic badge year. And on these electronic badges, they have what's called an SAO, an add-on. And um I was thinking we could build an add-on. So, I have a little community I've built. It's not Sorry, it says Discord. It's actually Signal. Um in Signal, we have a nice little group of people that are um talking about maybe building a little mesh network of SAOs that can be on badges. And uh you know, we can maybe get some insights about what's going on at the conference. Uh so, thank you so much. And I'm going to read out BSides is the best by EOD Poolhouse, my name is Jeff Dipwad Cuba. Whatever this means. Somebody out there

>> [laughter] >> Uh thank you all for for listening. Uh this is my first time at BSides Salt Lake. Uh so, I really appreciate the time. And um I don't know if I have time to answer questions, but uh Got a minute or two to answer questions if anybody has any. Let's start here, and then we'll come here.

Surprisingly, I have not. I I always expect them to like open the back cuz it's got this thing with all these cords and stuff like that, but no, I mean, sometimes I will like if I'm going international, I take it apart cuz then it's just basically a battery and like a it's a Raspberry Pi. So, it's nothing like I could just say it's just a little computer or something like that. Um I have not had any issues with it at all, though. Yeah. How do you know that 60 to 65% of the MAC addresses are static? It's a good question. Uh the question was, how do I know that 60 to 65% of the MAC addresses

are static? I I did a little bit of research outside of, and I should have put some sources in here. Um but then I cross-referenced my data set. Uh now, my data set's not like the most extensive. 1.3 million is a lot, but it's, you know, all things considered, it's not that big of a data set. Um but I've I've I'm constantly running analysis on that to see if that sort of changes. So, that's it's mainly based off my sample set, but also based off of some research I've done outside of it. So, uh it could be it could be off by some margin of error, probably, but in general, that's kind of what it's come out to be. When I say

it's static, I I know that because I pick it up over longer like 15-minute periods, these devices will be picked up like multiple times over a period of time. Uh and so, that's yeah, that's how I've kind of come to that conclusion. >> [snorts] >> Any other questions? Yeah, I have just more of something to add. So, the CPAP machines that are broadcasting, that means they haven't been paired yet. Uh because they want to make it easy for old people, right? Yeah. Once you pair it, you can change all the comfort settings. You can change the temperature. You can add pressure, take away pressure. But like the security side of things, I think the scariest thing is I can see,

oh, he's asleep right now because his CPAP machine is running. So, now I can go and get into his stuff. Totally. I mean, I I think that that's the biggest thing is like people don't realize like you know, this from an OSINT from an OPSEC perspective, for example. It's like your Bluetooth devices give major information to somebody. Now, that's if you're super paranoid. I don't tend to be super paranoid, but it's really su- uh really an important thing to to keep in mind. And I I just don't see why you know, we we couldn't, you know, maybe make the pairing mode or something a little bit easier cuz like that exact is exactly a a perfect example of

something that I don't know, gives a lot of information away about somebody um and that's other people should just not know about, you know. So, that that's generally how I feel about all this stuff. So, it's really interesting, you know. I don't know if it's the same on Bluetooth, but on Wi-Fi, I just learned this week that the big vendors, they've got a standard that they follow to the randomized MAC addresses. So, like if this character [snorts] is a two, that means that it's a randomized MAC address. And if one of us goes in and changes our MAC address manually, yeah, we don't have to follow that. Yeah. But like the big players in the space, they have Well, I

also think that the EU Yeah, the EU cyber act has some regulations around that kind of stuff, and the US does not have any policy around this. So, that's something that I really think should be talked about, you know. So, but that's my time. Uh thank you so much. This has been great. And uh Yeah, thank you.