The world is full of devices communicating with Bluetooth even if (or maybe especially if) you don’t realize it. Most “smart” devices are advertising some Bluetooth services (some of them even publicly writable without a password!). Even my treadmill is advertising writeable Bluetooth endpoints!
The Ubertooth One is a bluetooth and bluetooth low-energy (BTLE) capture device intended for developers and security researchers/auditors. It has an external antenna and is able to communicate at much further distances than most BTLE devices by both transmitting more powerfully and having a more sensitive antenna to listen to the response. To find out what is nearby and happening over the air this is the device you want to have.
In this guide I’ll show you how to get the latest Ubertooth tools on Kali Linux as well as update the firmware for the Ubertooth device and actually use the device!
The Ubertooth One is a bluetooth and bluetooth low-energy (BTLE) capture device intended for developers and security researchers/auditors. It has an external antenna and is able to communicate at much further distances than most BTLE devices by both transmitting more powerfully and having a more sensitive antenna to listen to the response. Has additional features/capabilities (upgradeable through firmware) that a normal Bluetooth adapter cannot do.
Links: AliExpress.com*, Amazon.ae*, Amazon.ca*, Amazon.com*, Amazon.com.au*, Amazon.com.mx*, Amazon.co.jp*, Amazon.co.uk*, Amazon.de*, Amazon.es*, Amazon.fr*, Amazon.in*, Amazon.it*, Amazon.nl*, Amazon.pl*, Amazon.sa*, Amazon.se*, Amazon.sg*
The Nooelec Ubertooth One enclosure gives a sturdy aluminum shield but more importantly an EMI shield to reduce interference.
Links: Amazon.ae*, Amazon.ca*, Amazon.com*, Amazon.com.au*, Amazon.com.mx*, Amazon.co.jp*, Amazon.co.uk*, Amazon.de*, Amazon.es*, Amazon.fr*, Amazon.in*, Amazon.it*, Amazon.nl*, Amazon.pl*, Amazon.sa*, Amazon.se*, Amazon.sg*
Updating Kali Ubertooth Tools
Kali Linux comes with a set of tools for Ubertooth but even the ones in the repository are outdated. The latest release at time of writing is 2020-12-R1. We can build the latest tools ourselves and this is the recommended way to keep the firmware version matched up with the tools version you have installed (the official recommendation from the developers).
Let’s start by installing some prerequisites:
sudo apt update && sudo apt install cmake libusb-1.0-0-dev git make gcc g++ libbluetooth-dev wget build-essential pkg-config python3-numpy python3-qtpy python3-distutils python3-setuptools wireshark wireshark-dev libwireshark-dev python3-protobuf python3-requests python3-numpy python3-serial python3-usb python3-dev python3-websockets librtlsdr0 libsqlite3-dev libprotobuf-dev libprotobuf-c-dev protobuf-compiler protobuf-c-compiler libsensors4-dev -y
Add root and your user account to the plugdev group (if not logged in as a root):
sudo adduser root plugdev sudo adduser $LOGNAME plugdev
Before building the utilities we need to install the libbtbb packet capture library:
wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz tar -xf libbtbb-2020-12-R1.tar.gz cd libbtbb-2020-12-R1 mkdir build cd build cmake .. make sudo make install sudo ldconfig cd ../..
To download and install the Ubertooth tools:
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz tar -xf ubertooth-2020-12-R1.tar.xz cd ubertooth-2020-12-R1/host mkdir build cd build cmake .. make sudo make install sudo ldconfig cd ../../..
To update the Wireshark plugins:
cd libbtbb-2020-12-R1/wireshark/plugins/btbredr mkdir build cd build cmake -DCMAKE_INSTALL_LIBDIR=/usr/lib/x86_64-linux-gnu/wireshark/libwireshark3/plugins .. make sudo make install cd ../../../../.. cd libbtbb-2020-12-R1/wireshark/plugins/btbb mkdir build cd build cmake -DCMAKE_INSTALL_LIBDIR=/usr/lib/x86_64-linux-gnu/wireshark/libwireshark3/plugins .. make sudo make install cd ../../../../..
That’s it for the tools and plugins. Let’s move on to the firmware!
Update Ubertooth Firmware
You’ll definitely want to update your Ubertooth’s firmware. My Ubertooth came with firmware from 2015 (in 2021!). It’s also highly recommended that the version of firmware on your Ubertooth matches the version of the tools you are using.
To update the Ubertooth’s onboard firmware:
cd ubertooth-2020-12-R1/ubertooth-one-firmware-bin sudo ubertooth-dfu -d bluetooth_rxtx.dfu -r cd ../..
When I ran this the first time I initially got an error like this:
┌──(root@IntelNUC)-[~/ubertooth-2020-12-R1/ubertooth-one-firmware-bin] └─# ubertooth-dfu -d bluetooth_rxtx.dfu -r libUSB Error: Input/Output Error: (-1) Switching to DFU mode… Checking firmware signature …………………………………. …………………………………. …………………………………. …….. Detached
Despite this error my update was successful. You can verify this by checking your firmware version like this:
ubertooth-util -v Firmware version: 2020-12-R1 (API:1.07)
Testing using ubertooth-spescan-ui
At this point we can run some tests and talk to the Ubertooth and make sure everything is working. Let’s pull up a visual representation of the spectrum to make sure our adapter is detecting Bluetooth activity:
It should load a new window that looks like this:
If everything is going well you should see a ton of activity like the above screenshot! Don’t worry too much about the specifics yet if that seems overwhelming. We just want to make sure you are seeing activity and that there’s not zero activity (indicating something isn’t working correctly).
Kismet has some pretty awesome tie ins with the Ubertooth and is definitely worth getting up to date. Here is a basic capture using the Ubertooth as a data source (Ubertooth placed in a window on an Intel NUC):
After about 30 minutes of capture the Ubertooth had seen over 234 devices! That’s unbelievable and was actually more than I was expecting to find despite undertaking this project with the suspicion that there were a lot of them out there. I’ll definitely have more to say about all of this in future articles. The last I_TL BTLE device is actually my treadmill!
The easiest way to update your Kismet is to build from source just like we did all of the Ubertooth tools and Wireshark plugins. This one will take a lot longer to compile than the other ones we have done previously since Kismet is a very large and complex application. Let’s do it:
git clone --recursive https://github.com/kismetwireless/kismet.git --depth=1 cd kismet ./configure make -j4 sudo make install sudo ldconfig sudo adduser kali kismet sudo adduser root kismet
That’s it. Now run Kismet and point your web browser to http://127.0.0.1:2501.
If this is your first time running Kismet here is a quick command to get the default Kismet generated login/password:
This should reveal the login credentials to get into Kismet. If you click the gear in the top left select “Data Sources” and you should see the Ubertooth and your other devices such as your WiFi card in there. When you click a data source you should be able to enable it and it will start populating what Bluetooth activity is happening near you!
You may find references to an Ubertooth Kismet plugin but it is no longer used. The newer versions of Kismet support BTLE capture natively and the plugin no longer builds so don’t waste any time on it!
This is the main utility to control the Ubertooth:
ubertooth-util - command line utility for Ubertooth Zero and Ubertooth One Common options: -v get firmware revision number -V get compile info -I identify ubertooth device by flashing all LEDs -d[0-1] get/set all LEDs -l[0-1] get/set USR LED -S stop current operation -r full reset -U<0-7> set ubertooth device to use -N print total number of Uberteeth and exit Radio options: -a[0-7] get/set power amplifier level -c[2400-2483] get/set channel in MHz -C[0-78] get/set channel -q[1-225 (RSSI threshold)] start LED spectrum analyzer -t intitiate continuous transmit test -z set squelch level Range test: -e start repeater mode -m display range test result -n initiate range test Miscellaneous: -f activate flash programming (DFU) mode -i activate In-System Programming (ISP) mode -b get hardware board id number -p get microcontroller Part ID -s get microcontroller serial number -x xmas lights
The most useful options are the -r option (reset the Ubertooth) but there are several other aspects of the Ubertooth’s behavior you may find useful in here!
The ubertooth-scan utility scans for traditional Bluetooth devices. You can pair it with a normal Bluetooth adapter as well to do an advanced scan to find hidden devices as well:
ubertooth-scan - active(Bluez) device scan and inquiry supported by Ubertooth This tool uses a normal Bluetooth dongle to perform Inquiry Scans and Extended Inquiry scans of Bluetooth devices. It uses Ubertooth to discover undiscoverable devices and can use BlueZ to scan for discoverable devices. Usage: ubertooth-scan Use Ubertooth to discover devices and perform Inquiry Scan.
ubertooth-scan -s -x Use BlueZ and Ubertooth to discover devices and perform Inquiry Scan and Extended Inquiry Scan.Options: -s hci Scan - use BlueZ to scan for discoverable devices -x eXtended scan - retrieve additional information about target devices -t scan Time (seconds) - length of time to sniff packets. [Default: 20s] -e max_ac_errors (default: 2, range: 0-4) -b Bluetooth device (hci0) -U<0-7> set Ubertooth device to use
The ‘ubertooth-scan -s -x’ combo is fantastic as it performs an extended inquiry scan to discover services on the Bluetooth device. This helps us figure out what they are and what capabilities they have.
This is the main “fun” utility for BTLE devices. It has 3 different modes (follow -f, promiscuous -p, and no follow -n). Follow mode means it will try to attempt to keep up with Bluetooth connections and capture data packets. Here’s the full overview:
ubertooth-btle - passive Bluetooth Low Energy monitoring Usage: -h this help Major modes: -f follow connections -n don't follow, only print advertisements -p promiscuous: sniff active connections -a[address] get/set access address (example: -a8e89bed6) -s<address> faux slave mode, using MAC addr (example: -s22:44:66:88:aa:cc) -t<address> set connection following target (example: -t22:44:66:88:aa:cc/48) -tnone unset connection following target Interference (use with -f or -p): -i interfere with one connection and return to idle -I interfere continuously Data source: -U<0-7> set ubertooth device to use Misc: -r<filename> capture packets to PCAPNG file -q<filename> capture packets to PCAP file (DLT_BLUETOOTH_LE_LL_WITH_PHDR) -c<filename> capture packets to PCAP file (DLT_PPI + DLT_BLUETOOTH_LE_LL) -A<index> advertising channel index (default 37) -v verify CRC mode, get status or enable/disable -x<n> allow n access address offenses (default 32)
The interference mode help create the conditions necessary for data capture!
I wanted to write this because all the above information involved going to about 20 different web sites to piece together. I really would have liked to just set it all up at once like this so I figured I’d share it as well as record it for myself in the future as well!
The Ubertooth device is definitely delivering at helping me figure out what is going on over the airwaves in my own home. With hundreds of different devices sharing the airspace detectable in my home I now can investigate which ones are actually mine and secure them. Some of the devices like my treadmill have publicly writeable configuration attributes as an example. The Ubertooth lets you hunt these down and figure out what they’re doing and if anyone might be able to exploit them!
Wireless traffic of all kinds continues to get harder to detect as technology improves and time goes on. The scary part is if nefarious actors are utilizing these highly stealthy networks. Instances of IoT hacking continue to rise as these devices become more ubiquitous. This tool will help you investigate them and take control of your network airspace!