BlueSpy: PoC to record audio from a Bluetooth device
BlueSpy – PoC to record audio from a Bluetooth device
This repository contains the implementation of a proof of concept to record and replay audio from a Bluetooth device without the legitimate user’s awareness.
The PoC was demonstrated during the talk BSAM: Seguridad en Bluetooth at RootedCON 2024 in Madrid.
It’s designed to raise awareness about the insecure use of Bluetooth devices, and the need of a consistent methodology for security evaluations. That’s the purpose of BSAM, the Bluetooth Security Assessment Methodology, published by Tarlogic and available here.
This proof of concept exploits the failure to comply with the BSAM-PA-05 control within the BSAM methodology. Consequently, the device enables the pairing procedure without requiring user interaction and exposes its functionality to any agent within the signal range.
Troubleshooting
BlueSpy.py is the main script that executes every step of the process. However, if you encounter issues with any of the phases, so it might be helpful to execute them individually:
pair.pyutilizes the command-line toolbtmgmtto modify the configuration of your BlueZ and initiate a pairing process with the remote device. The exact commands used are in thepairfunction insidecore.py.connect.pyutilizes the command-line toolbluetoothctlto initiate a quick scan (necessary for BlueZ) and establish a connection to the device. The exact commands used are in theconnectfunction insidecore.py.just_record.pyutilizes the command-line toolspactlandparecordto search for the device in the system’s audio sources (it must function as a microphone) and initiate a recording session. The exact commands used are in therecordfunction insidecore.py.- The
playbackfunction insidecore.pyexecutespaplayto play back the captured audio.
If you encounter issues with any of the phases, examine the commands in core.py and try to execute them in a shell. This will provide more information on what may be failing.
