Electronic Recon with Bluetooth

Some time ago, we had one of those really fun projects. In this project the target was the CISO (Chief Information Security Officer). His boss was concerned that he was too open and wanted to see whether we could extract information from him.

CISOs are public figures, especially on large corporations. Because of this, there is a lot of open source information available. LinkedIn, Facebook and other social media sites provide a really detailed picture of the target.
After about a week we had pictures, personal information, and other useful tidbits of information relevant to our project. The main piece of information was that he owned an Android phone.

We began sending different targetted emails that look very legit, however in the meantime we also decided to follow him and see if we could gain access to his laptop or phone when he was outside the corporate network.
After a couple of days we observed that in the morning, prior to going to work, he would sit in a Starbucks and browse the news either using his laptop (a Lenovo PC laptop with Windows 7) or his phone. We walked by him pretending to be on the phone and we saw what he was doing.
The next day we arrived at the Starbucks and we set our laptop. In the laptop there we had amnong other things Wireshark, to sniff the network and try to get his credentials, and a small Bluetooth sniffer that we wrote. In the past we were successful in gaining access to smart phones and laptops via unprotected Bluetooth connections. So, we figured we give it a try as well.

Once the target arrived, we fired up the different programs. We started with the sniffer. We captured a lot of traffic but it was going to be hard to pinpoint the exact traffic from the CISO, there were a lot of people using the network. One of us walked by him to see what site he was looking at so we can filter his computer. In the meantime, I opened the Bluetooth sniffer/stumbler in my laptop and started scanning. Now, this was not a passive sniffer. This program searched for open Bluetooth connections and try to connect to them. Once it was connected it would record the traffic. One of the features we built into the sniffer/stumbler was the option of browsing the Bluetooth filesystem. Some devices with Bluetooth allow you to connect to the device using an FTP-like protocol to copy files, etc.
I could see 5 Bluetooth connections on the list. You know the fun thing about smartphones? People give them proper names. So... I saw that the 3rd device in the list belonged to our target, he named his phone with his name. Nice.

I launched the attack module on the sniffer and after a couple failed attempts (we were a little too far from his device) we finally connected to the phone when I moved closer to the CISO.
We were now connected to his phone. His Android was a older version and after some playing, we had access to the underlaying filesystem. Android keeps some of the data encrypted, but we really need to access that data. We just uploaded a small little binary that would be executed when the phone email program was called. Essentially it was a shadow mailer. When the target would send or receive an email, our program would forward it to us as well. The Bluetooth connection also allowed us to download some of the attachments on his emails.

For the next 3 days we received copies of the emails. This gave us a good way to properly prepare and send, a few days later, a very good email that we knew the CISO would open. The link on the email was to a legit website that we prepared and that contained several exploits for Internet Explorer, Firefox and Chrome. We knew he was using Internet Explorer on Starbucks, but we wanted to be sure.

The exploit for IE worked and a few weeks after we started with the project we had full access to the CISO's laptop and his phone.

Done.

On the report we recommeded that the CISO clean his online precense, protect his devices better and avoid connecting company deviced to public access points such as the one on Starbucks.

Notes: More information about Bluetooth sniffers and gear can be found here, here and here (old but informative).