Hacked by Bluetooth: New Exploit Takes Over Your Phone
Vložit
- čas přidán 12. 06. 2024
- PlexTrac 👉 seytonic.cc/plextrac1
0:00 Hacked With Bluetooth: New Exploit Takes Over Your Phone
2:20 PlexTrac (sponsor)
3:13 Counterstrike HTML Injection Bug
5:11 Ukraine Admits to Hacking Russia
6:51 KillNet Leader 'Retires'
Sources:
www.theregister.com/2023/12/0...
thehackernews.com/2023/12/new...
www.hackread.com/bluetooth-vu...
www.darkreading.com/vulnerabi...
www.darkreading.com/vulnerabi...
github.com/skysafe/reblog/tre...
www.bleepingcomputer.com/news...
www.hackread.com/gamers-warne...
hackerone.com/reports/631956
Gameplay: • Counter Strike 2: Office
therecord.media/ukraine-cyber...
www.bleepingcomputer.com/news...
securityaffairs.com/154839/cy...
gur.gov.ua/en/content/voienna...
therecord.media/killnet-killm...
===============================================
My Website: www.seytonic.com/
Follow me on TWTR: / seytonic
Follow me on INSTA: / jhonti
=============================================== - Zábava
There is an exactly 0% chance that state actors have not been using that Bluetooth vulnerability for years
There is a 0% chance this has been used in the wild lol.
Non remote exploits are almost impossible to pull off, you would have to follow someone all day, hoping he has Bluetooth enabled and hoping he is not looking at the screen of his unlocked phone, hoping that the connection doesn't fail at any moment, hoping the phone speed can keep up with the ribber ducky static input speed, and many more problems that I'm too lazy to list.
This is a THEORETICAL exploit, will never see it used in the wild, hell calling thi an exploit is a meme
I admire your optimism!@@FascistTrex
@@FascistTrexnot true. There are tons of intel teams and assets operating everywhere, and this would easily be pulled off at any gathering event especially with politicians and people in managerial & leadership positions whom spend much time at events sitting in a single place to target. My dev team has had personal encounters with this type of attack
@@undr_guv_survbut it has such a great risk of failure with people seeing what is happening...
And you have to have Bluetooth on to connect to your medical implants...
Ah yes, now counterstrike is safe for work once more
This has always been the case, hasn't it? I thought Bluetooth was always vulnerable.
Opsec 101: only turn on bluetooth if you actually need it
Need it for Car, headphones, watch so disabling it not an option
@@mrx6555 cable heabphones mvp
@@mrx6555"car" and "really", is it really a necessity?
Yall act as if you were chinese spies. The average individual has nothing to worry about exploits like this....
@@mrx6555 have you thought about wired headphones? 3.5mm Wire between phone and car? Installing grapheneos and enabling "auto disable Bluetooth after x minutes"?
always look forward to this dudes' content. well written with witty humor sprinkled in between , always a joy to watch :D . Seytonic thanks for putting this stuff out there for us to enjoy n stay safe out there!
Thanks for watching my dude :)
Mostly is using Bluetooth device a like keyboard sending fake drivers allowing exploit commands.
Great video! However I think you should have mentioned that on Android, the released security patch 2023-12-5 mitigates this issue, which is mentioned in the github post you link. Of course, I know this is not the panacea, because of Android fragmentation etc, but the video made it seem like no security patch was out.
I would also have added that, as with a rubber ducky, the device has to be unlocked in order to do damage.
My bad, not mentioning a patch was available (at least for android) was definitely an oversight on my part
Also security patches get deployed automatically. No user input needed or phone manufacturers. Gets pushed through regardless. So if it's Android, it's patched.
What about Linux ?
@@plebius Well, only recent phones. Any phone older than ~2-3 years probably doesn't get any updates anymore. So, also no security patches if I understand this process correctly.
@@querela92 security updates are pushed regardless of android version. So no matter the year, it gets those through the playstore. It has nothing to do with OEM parches
Well, that a hell alot of news. The bluetooth exploit is scary, the CS2 is hilarious and the Russian hacking situation is interesting. As a Russian myself, this is very interesting.
We should really appreciate how seytonic never fails to fill us with steamy and hot news from the back
come on now
@@salpertiaI'm sure he will
👀
God damnit I'm so tired of this comment it's under every god damn video on the platform. I know it's hard, but have you ever considered thinking independently? Coming up with your own ideas? Or is that beyond you?
@@Tommy50377someone got hit from the back with the hacker news
Imagine kicking a player, and two days later someone kicks down your front door-
There was a bug I found like this in csgo back in 2019/2020~ish, if u edited the lobby message packets u could insert a custom formatted xml used for events text (eg when u are in a lobby and it goes "(TEAM A) vs (TEAM B) live" or something), lots of trolling ensued and we thought it was harmless, we would just visually edit peoples ranks and make a message come up saying u were overwatch banned, after having our fun we told a bunch of peeps, but then afterwards we realized if u attached a script tag u could run javascript in their game ui, then you could use a handy api (since disabled) made by valve to run any program on their computer with any parameters you could ever want, wouldn't have shared it if i realised it let u run js (and probs could have got major bug bounty money D:), sooooo like we are reallllllllly lucky nobody realized and made a botnet out of a bunch of people playing counterstrike from us just doing a lil trolling before valve patched it. Valve patched it after a few streamers got targeted by some trolling.
Good on valve, ngl, i wonder how many of these bugs are under our noses
How do you edit the lobby message packets?
Fairly sure that bluetooth bug was shown years ago. Yup, just looked it up, first I saw it discussed was 2016 in MIT technology review on 23 rd of February 2016. If it is that, then this is not new in the slightest. From what you described, its not any different. Edit, if I remember correctly, I also remember this being discussed with regard to payment terminals. That use bluetooth to speak to a phone.
That does not change the fact, that the vulnerability was unpatched until very recently if not until today 🙂
@@computerfreakch8912 it was patched. Years ago. On all platforms. Search for it.
@@computerfreakch8912 I gave a more in-depth explanation. With how it was done, but someone deleted it. I presume it was automatically done.
@@computerfreakch8912 or look through the comments on this video and you will see it explained elsewhere too.
Comments being removed that point out this bug was fixed years ago. Why?
I’m sure there have been half a dozen other Bluetooth exploits…
That is correct Bluetooth and older WiFi APs are a joke. Almost none updates firmware or replaces them unless they absolutely don’t work anymore. And don’t even get me started on grandpa ordering his WiFi device from China. An adversary can literally plan a attack remotely using WiGle scouting ahead for potential trash devices to exploit or cheap Chinese garbage with weak WPS pins or the overwhelm exploit which reboots a device in WPS mode. I first learned about this in 2012 it’s 2023 now and there is no real solution other then don’t be unlucky and becoming one of the extremely rare victims of this.
I'm sure there have been a half dozen other Microsoft, Chrome, Cisco, Android, IOS, MacOS, Fortinet, Zoom, Adobe, Apache, Siemens, Zyxel, Gitlab, VMware, Oracle, Moveit, Solarwinds, Mozilla FF, Citrix Hypervisor, Siemens or whatever platform/product exploits.That's why there's advisories and CVE's.
So aside from stating the obvious for internet smugness, what's your point exactly?
This only works when the device is unlocked. So asuming ur phone is unlocked when you use it. You could see it happening. Update your phone.
sure, will take me less than a minute because there's no fragmentation on android and 99% of devices aren't abandoned by manufacturers in the Android version they launched with, right?
@@zedev444 Most phones actually have about 2-3 years of updates. Most major brands now have 5+ years too, like Samsung. Since Samsung is the worlds most major brand... No 99% of phones are not abandoned immediatly. They get several years of support, especially the newer phones which have upped the software support longevity.
Also, you may not be aware of it, but even 8 year old phones still get security updates. Not from the manufacturer but from google play services. It can prevent most exploits and goes out to all phones it can support, which is like almost all phones since the Samsung s7 or something like that.
@@zedev444Only some manufacturers actually don't update their devices. A recent Google lawsuit revealed that they actually pay manufacturers to keep updating their devices.
and when its unlocked you can see the keyboard inputs so you can just turn off your phone
ur fault for buying chinese trash with no update guarantees @@zedev444
Wait, Windows ist Not affected?
Not this time :)
window xp@@Seytonic
I found an exploit months ago that allows you to use an iPhone to pair with the Bluetooth adapter on any type of operating system including Linux without the victim being prompted to allow the hackers device to pair. then you can clone the victims device and add a service. the service can be configured to upload data to a remote server so you no longer need to be within range of the victim. I should've reported this months ago but haven't got around to it lol
Killmilk retiring could just be him resigning from killnet in a way that is less embarrassing
Thanks to wireless earbuds, I absolutely will not disable bluetooth.
@@MrVuckFiacomabsolute shit
Lol, my 2020 phone still has a headphone jack and i don't use wireless headphones.
Sounds like a personal problem for you
@@lagc04 Can I have one :>
Even when you aren't using them?
@@lagc04 please
Nice, already have an update for my macbook and iphone, no matter how much one could hate on apple you have to admit once a CVE gets general public attention they are usually pretty quick to respond.
YAY new seytonic video always the goat.... i been watchingevery video yo
damn old bug strikes back after ages
Windows also has this issue, also the CS issue was used in New World, you could essentially paste any image in global chat.
fake news
What's the background music you use in these videos? I can listen to it all day.
well done everything have vulnerable
or does windows?
That's a feature I've been using for remote desktop and always thought it was WAY to easy to use maliciously if I wanted
did plextrac ask you to move the ad segment to the middle, or was it your idea?
Same sanitizing bugs has been found on cs:go, dota 2, dota underlords multiple times😂
I can't really find it, but do emui (Huawei in particular) also get the Bluetooth Patch? I'm specifically asking for a P30 Pro because the last available Update was in february and their Website doesn't list it under any Update intervalls
Erm, you do know that in Linux and Linux-phones I always got a request to ensure the confirmation code match up.
So, I'd get the pop-up to confirm a connection, else it just rejects any attempts.
Thing is, I'd love to implement this so I could use my laptop as the keyboard and mouse for the workstation and laptop (i.e. use the numl-ock key to enter/exit Bluetooth keyboard mode on the host).
KDE connect?
I wouldn't be surprised if Killmilk and Deanon Club are the same person.
i love this channel every week its better to watch this than read bunch of booring articles
@seytonic How about Bluetooth Gatt Service on Android that keeps on running in the background even though all Bluetooth settings are off?
Ive been doing this with my flipper, bluetooth has always been vulnerable, thats why i keep mine off
This bluetooth vulnerability has been public for years now, or at least one that's very similar
We are reaching Watch Dogs level of skidding, imagine walking through a mall with the bluetooth mod and creating a EMP field
Another reason to go paper and pencil!😂
yet ur here
Haven't had bluetooth enabled for years because i was warned about stuff like this years ago
Already disabled bluetooth ages ago.
That is why turning off Bluetooth when a device is not in use is necessary.
with ble advertising (which i searched 3 yrs ago and saw anyone can sniff and emulate) i knew if u could find a device that gives input u would be able to takeover device if u annoyed them enough they clicked connect
Oh nice. I only have Bluetooth on when I use it.
But man, that’s unfortunate:
I hate Bluetooth with a burning passion. It dominates everything. It's a bulky and broken protocol. And it really needs a fully open source equivalent.
Reminds me of that mr robot episode when he did the “impossible” Bluetooth hack
Reminds me of BlueSmurfing.
Being discoverble is a opt-in feature that means nearly all Linux users are unaffacted.
But its scarry because my PC has class 1 bluetooth...
I thought everyone knew about this one it's been around for a long time
I understand and
don't understand
at the same time
Jay, thats one more security patch I'm not getting because my device is too old
And this is why headphone jacks are important
they are in the past, move on
@@apache937 my 2020 phone has one. I haven't bought wireless headphones in about five years lol
@@apache937 Make me
Gata love how every phone nolonger has a 3.5jack and your stuck with either an adapter (ive had 7 break) or Bluetooth
Every phone? Samsung never took it away from the Active/Xcover line along with removable battery while still being ip68.
Poco F5 2023)/Note 12 Turbo/ Sony Xperias also have headphone jacks.
@jiffonbuffo they stopped makeing the active line after i believe the 8 soo idk about the other phones but i know that one is Ancient so any modern phone that still gets security updates which is incredibly important doesn't have a headphone jack my rule about phones is if its not getting security updates it belongs in the trash because your just asking to be hacked
David Bombal hosted OTW and they showed this exact hack using an example from Mr Robot
it would be a shame if the bluetooth exploit was used to serve a virtual bad usb device as a nas with some hacked-in open wrt features
it was bad enough that we had to watch out for bt and wifi spoofs but imagine it used with bad usb to organize mesh botnets thruoughout
Combine this with the recent webp attack and that's a good play.
This is FUN
Leon & Steve upstairs listens to my singing
now i regret connecting my phone to my mac’s keyboard
So, what are saying here doc for mitigation turn bluetooth and ble off and tyce c to audiojack headphones or, is there something else that can help?
Because well, wireless headphones are convenient...
At the end of the day there are so many attack vectors out there if someone wants in they'll find a way irrelevant of our personal thoughts on how immoral that may be.
Good I’m happy
Well some sony erricson phone from 2008 can do this aswell.
But they only act as mouse
huh, sounds similar to that one scene in mr.robot
I hope the Bluetooth exploit isn't evident from the patches.
It's been around for years; Bluetooth just never gets updated, so it's vulnerable af
Wild
Hugs 🤗🤗🤗🤗🤗🤗🤗
I noticed you skipped windows.. does that mean windows isn't vulnerable to this?
Nope, it still is, and always has been
You can even do that with a rooted android phone with custom kernal and kali nethunter
You can't unlock an android phone using only a paired keyboard. So I don't really see the problem since it will only be working while it's unlocked and thus when you are actively using the phone.
Yeah, and by that point you can shut the phone off and go to a tech store
i hope you will teach us how to hacked by bluetooth
Maybe I will think about disabling Bluetooth on my Fedora 39 laptop and my PinePhone
On January 17, 2017 I was extorted by a Repubican city councilman of Centennial Colorado. One of over 130 threats made was to hack my computer via Bluetooth via a bluetooth enabling wired mouse. In December of 2019 this attack was carried out. On December 20, 2019 they entered the premises after my wife and daughter left for the airport, retrieved their device and carried out another threat to break my glasses. This was followed a few days later by replacing one of the rubber nibs in the eyeglass repair kit with a similar one but discolored as if by tobacco smoke, this was threatened to contain asbestos so that a felony charge of illegal disposal of hazardous substance could be fabricated , and/or establishing the condition of asbestos on the property in order to carry out a broader more far reaching insurance fraud scheme.
good thing I never managed to make Bluetooth work on my linux machine lol
Sounds very unlikely to be used successfully in mass, must be very targeted
Ah…the Old Bluetooth hack. Still making its rounds
if u have an android with bluetooth enabled ur volunerable, if u have an iphone with bluetooth on then ur volunerable.. lol i love how u dumbed it down for the apple users
Bluetooth wastes about 1w an hour. Turn that shit off when you're not using it and watch your battery life last 25% longer.
damn ok i NEED my bluetooth always on for my cgm (constant glucose monitor) to work
coolll mann igg
2012.... TWENTY TWELVE?!?!?!?!??!
What about cs2 map exploits?
I only turn on Bluetooth if I need to use it because it runs out the phone power faster with it on
At this point no one is safe honestly.
No one
Wow, it's a good thing I only ever use Bluetooth on my Windows PC I guess........
Does it matter if you make your device undiscoverable?
Badusb via Bluetooth is already a thing with the flipper.
This is Very old news I remember learning about this 10+ years ago and the news was dated at that time.
Do you mean just turn off or turn completely off?
“Your phone can be hacked via bluetooth!”
“Shit, okay, can you prove it?”
“No 🙃”
This isnt the first time. Are you new to the whole technology thing?
@@Nestor__Makhno Oh, the arrogance. Cringe worthy. 🤦♂
@@Cuplex1 arrogence? Dude... The sky is blue he says. Prove it he says. What do you expect me to tell him?
colll mann igg
3:57 DDOS is not the worst that can happen thats for sure bro 😂, of ftp or ssh ports are open shit bout to go down hill. Or even seeing them physically and right their doorbell 😂
And this is why Apple should include a bluetooth toggle in the command center in iOS, or at least an option to have it instead of the fake toggle button they have now.
Yesterday i to use a work phone to clock in my job. Was in the parking lot trying to clock in and my screen was jumping around and it navigated to internet settings and was trying to type in an internet log in and pass. I think they gave up after a bit. There is nothing of value on that phone cause its a work phone but I'm wondering for you more tech savy users out there what were they trying to achieve by connecting to another internet?
On linux the hackers cant do much without your sudo password
I am going to make a PoC of the bluetooth i now have something besides bug bounties to do
You can turn off the Bluetooth keyboard setting on iOS
I heard of that bluetooth thing years ago. I need my headphones bluetooth, or I'll forget I have a cord and my phone will fall on the floor. And I have autism, so I can't just not wear headphones. If I don't have them on when a lot of noises are happening, I'll start panicking
Does this hack work if data is off?
Thanks. Already patched!
Will it affect Windows PCs? ???????
Nopes
Don’t you just need to confirm to connect the device anyways? I literally don’t know why everyone is so worried
I would be very interested to know how to permanently disable BT on an Android, rather than just turning it off
Desolder the Bluetooth chip. 😉😉
Only real way is to get into the phone insides
i mean if you really care then delete the bluetooth kernel module. but there’s no point
No windows?, that is incredible LMAO. Time to switch back to lumia.
I’m paranoid about my data anyways combined with what I know is capable…
Every time I leave my house I make sure Bluetooth and Wi-Fi is shut off especially location!
If only people was remotely aware of the amount of data was collect , how would you, fingerprinting, y’all would be the same way!
It’s not hard to take anonymous data and compare it with data that is known Then, linking the device ID!