Big thank you to Brilliant for sponsoring this video! Try Brilliant for free (for 30 days) and to get a 20% discount, visit: Brilliant.org/DavidBombal CVE-2023-45866 allows attackers to remotely control an Android phone (and other devices) without pairing. Details: Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue. Source: Mitre See CVE details here: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45866 nvd.nist.gov/vuln/detail/CVE-2023-45866 // Script and instructions here // GitHub: github.com/pentestfunctions/BlueDucky How to stop / mitigate this attack: 1) Upgrade your phone / install security patches on Android for versions 11 and later. Unfortunately earlier versions cannot be patched (Android 10 and earlier) 2) Note: For the script to discover the MAC address of the phone, the phone needs to be in pairing mode. 3) Turn off Bluetooth if not being used // Occupy The Web Books // Linux Basics for Hackers: US: amzn.to/3wqukgC UK: amzn.to/43PHFev Getting Started Becoming a Master Hacker US: amzn.to/4bmGqX2 UK: amzn.to/43JG2iA Network Basics for hackers: US: amzn.to/3yeYVyb UK: amzn.to/4aInbGK // OTW Discount // Use the code BOMBAL to get a 20% discount off anything from OTW's website: hackers-arise.net/ // Occupy The Web SOCIAL // X: twitter.com/three_cube Website: hackers-arise.net/ // GitHub CODE // github.com/pybluez/pybluez // Amazon LINKS // Rasberry Pi 5: US: amzn.to/3JZKoZD UK: amzn.to/3JTBixC ASUS USB/BT-500USB US: amzn.to/4abnPfl UK: amzn.to/3QDsOOO // Playlists REFERENCE // Linux Basics for Hackers: kzfaq.info/get/bejne/j7CFibGd0q-zZnk.html&pp=iAQB Mr Robot: kzfaq.info/get/bejne/ad-Zh8KIstLTo5s.html&pp=iAQB Hackers Arise / Occupy the Web Hacks: kzfaq.info/get/bejne/fd6bftartbyoYYE.html&pp=iAQB // David's SOCIAL // Discord: discord.com/invite/usKSyzb X: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal KZfaq: www.youtube.com/@davidbombal // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 00:00 - Bluetooth hacking quick demo 03:05 - Brilliant sponsored segment 03:57 - The Bluetooth vulnerability explained // OccupyTheWeb 05:26 - How the vulnerability works 08:16 - Bluetooth hacking demo 09:26 - Setting up for the hack // BlueZ 12:12 - BlueZ tools demo 13:50 - Scanning for Bluetooth devices 17:58 - Other tools 23:20 - Running BlueDucky // Hacking Bluetooth demo 25:50 - The possibilities of Bluetooth hacking 28:04 - Older Android versions are at risk // Keeping devices up to date 30:17 - Bluetooth hacking for other operating systems 30:52 - Hacking Bluetooth speakers 34:04 - OTW books & plans for future videos 34:52 - Conclusion android iphone bluetooth raspberry pi macos windows samsung pixel google apple microsoft linux ubuntu blue tooth flipper zero google pixel ble Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #android #iphone #bluetooth

"Peace was never an option."

SDR lessons would be awesome! 🤩 Hope you guys do that.

It's a great thing you two are doing for us and myeslf and I, appreciates that a lot. I wanna ask, can the payloads be edited?

SDR stuff sounds AMAzing!

One could also use a custom ROM like Lineage that includes the latest version of Android. You probably should, anyway, if you're no longer getting updates.

Phones not having switches is just irresponsible at this point.

I would love that second video!! Always great to listen to OTW!!

I always enjoy watching an amazing videos with OTW and thanks to you so much David now you have shown me a clear path to follow since I joint your channel 3 years back and thanks to you so much and waiting for more from you and your guests please.

If you know what the speaker is. Technically you could write a patch for it to auto shutdown or reboot every so often. Then force the patch to the speaker or tv.

Thanks so much David

Love these videos with OTW👍👍👍

David and he's rick rolls gets me everytime haha XD I love it David! Keep up the amazing work! I have also a Raspberry 5 now i'll give it a test spin soon :D

Thank you David and Occupied for sharing the knowledge! Please do make a video on how to send packets to the bluetooth streams ✌️

One thing companies should be held accountable for and they're not. Smdh, this is why I hate non-accountability and immunity in the tech industry.

Thank you David, I'll keep updating my phone patches

Hi David thanks for the great video , it was awesome one question , how did you connect your pi to laptop ? did you use HDMI cable or what ? Ill be glad if you could help me and tell me , my main problem is that when im using ssh or vnc or stuff like this i dont have many permissions as you know and i cant use tools that work with wifi i bought a ttl cable to connect to pi i wanted to ask you if you know any better ways :)

Love the videos with this guest

Thank you, David🚀

this is really very scary in the wrong hands because there are millions of phones that fall prey to this bluetooth CVE. and the only option for most will be to buy a new device more scary even. hopefully options will come by to help them out. hopefully many people can learn of this as quick as possible. huge shouts to you David and OTW.

David bomball is so modern blue ducky came this year in january and hes already reviewd and teaching it!

Would love to see more bluetooth work. Like the ubertooth and generics. As well as btsmash

combining this attack with a list of browser exploits on an aws server would be impressive. get a browser recognition script on the index page with php or java to identify the browser version and based on the version launch a specific exploit and gain access to the phone.

Really appreciate both of you. wish you the best Sir.

Been scrolling through the comments, this man really tries to answer alot of them. Thank you for this information david.

Love your work, thank you.

Thanks so much David(first Tim watch a video of 2 hour earlier) unlike years ❤

Since this is an HID keystroke injector (as I understand it), does it need to unlock the phone (password or otherwise) before it can inject commands to other applications?

Awesome video David ❤

Hey David Bombal, could you also do a Video about detecting remote Access to an Android Phone and how to protect against/ remove the remote Access.

Thanks for this, so glad I bought a new phone. This is re-igniting me wanting to get back to studying.

Totally worth it to watch once again.🎉❤

also some wifi keyboards, mouses etc. I thought of that combined with drone and some strong antena for both signals

It's really exciting whenever you interview OTW, and like he previously suggested that you interview Sean Dillon please make it possible to

Did no one watch Person of Interest? Only me?? Sure, it went sappy in the later seasons but you gotta admit that their favorite mobile initial-access was via Bluetooth.

David, the problem with keeping your devices up-to-date in that the providers only send updates for 2 to 3 years and then you're done. Most people have no idea, after that if or how they can get patches or updates. Too many of us can't go out an buy new phones every two years. So these people are just stuck in limbo for whatever new hacks that come along after that.

My BlueDucky launches without the menu, it just has the title and says “Remember, you can still attack devices without visibility… If you have their MAC Address…” and that’s it. No menu launches and font is all in white. Help pls 😭

i was waiting for some bluetooth stuff like this

What's the range of this attack I left my phone's Bluetooth on by accident a few days ago, then when I checked dit after a day I saw a light blue Square around KZfaq app on my home screen which is the same square when I have an external keyboard connected and use the arrow keys to navigate the phone screen. I was worried for a bit but then checked my files on the surface I don't see anything odd Lastly My device is a building with ~20cm thick bricks for walls and other buildings are about 3 metres away

wonderful video thank you sir

32:00 hold on an SDR dongle can transmit??? Had thought they were just receivers? It's a transciecer? Are these you bog standard cheap SDRs or are you talking about something pro level? Would an unlocked quangsheng uvk5(8) be able to transmit on the relevant frequency to achieve the same effect? Ive seen them used to jam remote car keys before.

3:10 they can be updated, they just to have a custom rom flashed (you can flash higher versions of android)

How can I use a blutooth adaptor instead of rubbery pi ?

this is essentially almost the same thing that the rubber ducky does with a usb, RICK ROLLED!

You didn’t have to change the default adapter value in the script, you could have just used the argument -adapter …I was the one that submitted the PR (pull 21) to specify adapter it haha

Insane how such a small bug has implications this potentially bad!

My Discord members wanted me to check out your channel. Very interesting.

Good information 👍

Yeah I tested the script, interestingly REALME phone with android 13 and 11 is vulnerable , but the OPPO phones with older versions of android (I tested 9 and 10) is not vulnerable. There is a error message showing the pairing pin is not valid so I don't know about other brands but REALME is vulnerable

Does speaker have to be in pairing mode/connected and paired? For anyone who already tested it

I basically keep Bluetooth off, if I'm not using a Bluetooth device at that time, so for me it's almost always off, but it's good to be aware of.

Hey which Bluetooth adaptor would you recommend that would work well with Kali Linux ?

I've had problem, (error: Failed to enable SSP) and needed to change script, at line 107 in BlueDucky, there's code (ssp_command = ["sudo", "hciconfig", self.iface, "sspmode"] (just removed "1" at the end of line 107... and script rins runs fine, but cant connect to galaxy 6 ... " - error: connection refused ... " Script renamed my kali machine into ROBOT POC ... but still connection refused ...

i had an apk which would do the same. It still works, bassicaly it sents a pair request spamming them and they will connect by accident (when playing games or such) and then i can sent keystrokes, 9/10 times it works.x

Love from India ♥️🇮🇳

Like to see the video on the Bluetooth speakers ❤

@17:38 is an unobscured MAC address you tried to protect earlier masking it's right part.

Sir, for me it asks to pair manually and then when we pair, does the attack take place

Hi david, tried this one out with an old huawei p30 lite and it asks for permission first, even with an oppo of my friend? Is there away to bypass this?

Can this be compiled and added to havock for rfone portapack fw?

@davidbombal Could this be done from a laptop running Kali or from a rooted phone running NetHunter?

Very interesting video. I imagine that this could be very damaging in the wrong hands. Very cool.

Hey the ASU’s adaptor you suggest doesn’t work with Kali . Should I install drivers or something? Can you do a tutorial about this ?

How can you protect the older Android from these attacks or any attacks or what can you download or install to prevent a lot of this any help is definitely appreciated

There is no single way to penetrate a specific thing. You may need some basic methods, but you must search for the hole to expand it

Another reason Custom ROMs are so important, but of course massive companies keep trying to kill them. I ONLY buy devices with unlockable bootloaders.

No wonder my ear pods were acting weird lately.

Wonderfull video sir

Any bluetooth device you recommend that works properly? I used panda but its no longer scanning

It Works, Just tried it out on my phone. Scary stuff

do a video on ble cos i just got a bluetooth speaker that has a phone app which can turn it off & on meaning that device is never actually off

Crazy...I was just playing with this last night

Asalam David, hope you having fun, i just wanted to ask you that can I install bluetooth🎶 in lenovo device of 2nd generation which does not support bluetooth?🤩♻ I will be waiting for your kind response.💰 Thanks in davance. 😊

Can i use windows? Also can you explain me what is the use of raspberry pi In this. Why can't I directly use my pc for it?

Could one use this vulnerability to force a phone to place a call? That could be *interesting*

How does a bluetooth adapter help?

I'm a complete beginner and this is my second video

its a coincidence how i just finished fixing my bluetooth adapter and you just dropped a bluetooth cve video

If somebody have the virtual card information how can do the write card to the white card ??

Excelente video 🥺

Can you make bug hunting video? How we start bug hunting as a beginner

Can this tool be used without raspberry pi 4

Can this work on any laptop that has Bluetooth or i need to get an external Bluetooth to be able to use this attack

Is there anything I should pay attention to when purchasing a Bluetooth adapter?

I love my note 9, hell its an extension of myself at this point but it is very hard to root without bricking it I guess now it's either rooting and risk bricking or upgrade... neither of which im especially happy about :/

Does this exploit work only on devices that enable dev mod

Could this be done with BadKB on F0?

Ive already been looking at this and a self-replicating "package" that could jump from phone to phone. This hack in general could do some nasty shyt considering how many people are on their Bluetooth earbuds every day.

This must not be an issue if you turn off bluetooth, right?

Is it mandatory to have bluetooth external device to perform this attack??

when will there be a video about the attack on the phone?

Dear sir i am getting the following error when i try to payload: --> ConnectionFailureException: Failed to execute command: sudo hciconfig hci0 name Robot POC. Error: Can't change local name on hci0: Network is down (100)

How to use torspy package?

i don't know enough to imagine a use case, the environment. other than maybe if it was on a train against a person sat infront of you

can i try this with a Bluetooth connected wrist watch 🤔

Did anyone else read the title card in Shang Tsun's voice?

In order for this hack to function i think the Android phone needs to be unlocked? If your android is locked and requires a pin to open then the hacker needs to bypass the unlock screen first. By knowing the pin, guessing or brute-forcing or some other exploit. Am i correct? If true then you have at least some protection against this on older devices just by having pin screenlock and not have your phone open all the time.

USB arsenal is missing in my nethunter

lol yet another reason why the headphone jack should've never been removed

Mentioned the link of devices which are possible.:)