Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication

Conference:  BlackHat USA 2020



The presentation discusses the development of a hardware platform for running Blue Raptor on portable devices and the challenges faced in the process.
  • The development of a hardware platform for running Blue Raptor on portable devices was challenging
  • The Winner S3 chip was chosen for its ability to run the Linux kernel and manipulate physical layer data
  • The lack of a publicly released BSP package for the Winner S3 chip required the researcher to sign an NDA contract
  • The LVGL GUI framework was used for the touchscreen-based UI
  • Exploring SCP-UI requires the root of the Android phone, making it more difficult to address the same problem as PPAP and IMEPA
  • There are nearly 40 kinds of Bluetooth profiles, providing many opportunities for future research
The researcher faced many challenges in developing the hardware platform, including the need to sign an NDA contract to use the Winner S3 chip and the difficulty of using the LVGL GUI framework. Despite these challenges, the researcher was able to create a working board and operating system for running Blue Raptor on portable devices.


Every Android phone loves Bluetooth, a short-range wireless communication technology. We can find a large number of Bluetooth devices in any public place. Many of their security issues have been exposed before, such as BlueBorne, KNOB, and BadBluetooth. Today, due to the security risks in AOSP (Android Open Source Project) and the negligence of some well-known mobile phone manufacturers, we have another 0day vulnerability that can be played. And it was named BlueRepli (Bluetooth Replicant).At the application layer, Bluetooth is like a parent who over-disciplined. It defines various implementation standards for a variety of complex application scenarios. These standards are called profiles. Some of these profiles will access extremely sensitive user data, such as PBAP (Phone Book Access Profile) for synchronizing phonebook, MAP (Message Access Profile) that can access SMS data, SAP (SIM Access Profile) that serves remote devices using local SIM cards and so on. Of course, the use of these profiles by remote devices requires authorization from local users and strict authentication from local Android phones.However, this study found two new ways to bypass these authentications and gain profile access. The first method is a new attack idea. It can obtain permissions when the target has only one interaction, and attackers can make this interaction very deceptive. The second method will use the undisclosed 0day vulnerability BlueRepli, which can get profile access without any sense. We also prepared rich video demos to show the exploits we implemented, such as stealing mobile phone contact information, call history, stealing SMS verification codes, and sending fake text messages using the vulnerable phone.



Post a comment

Related work

Conference:  Black Hat Asia 2023
Authors: Luyi Xing, Xin'an Zhou, Jiale Guan, Zhiyun Qian

Conference:  BlackHat USA 2021

Conference:  Black Hat Asia 2023
Authors: Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, Paul Pajares