This chapter covers Bluetooth attacks—specifically bluejacking and bluesnarfing—which are common wireless threats assessed in the SY0-701 exam under Objective 2.3 (Threats, Vulnerabilities, and Mitigations). Bluetooth attacks exploit short-range wireless communication vulnerabilities to send unsolicited messages or steal data. Understanding these attacks is critical for identifying and mitigating wireless risks in enterprise environments, and the exam frequently tests your ability to distinguish between these two attacks and select appropriate countermeasures.
Jump to a section
Imagine you're at a busy outdoor market. You have a small Bluetooth-enabled device in your pocket, like a wireless earbud case. It's constantly sending out a short-range signal saying, "I'm here! Pair with me!" This is like your Bluetooth device being in discoverable mode. Now, a pickpocket walks by with a special scanner. They don't need to touch you; they just need to be within about 30 feet. Their scanner picks up your device's signal and reads its name and capabilities—this is like bluejacking: an unsolicited message or contact. But the pickpocket isn't just sending a friendly "hello." They use a more advanced tool to actually connect to your device without your permission, like a thief jiggling the handle of an unlocked car door. Once connected, they can access your contacts, messages, and even your call history—this is bluesnarfing. The key mechanic is that the pickpocket exploits the Bluetooth protocol's trust model: if your device is set to "discoverable" and uses weak or no authentication, it's like leaving your car unlocked with the keys in the ignition. The countermeasure is simple: set your device to "non-discoverable" when not actively pairing, just like locking your car doors. The attack doesn't require malware on your device; it's a direct exploitation of the Bluetooth service itself.
What Are Bluetooth Attacks?
Bluetooth is a short-range wireless technology used for data exchange over distances typically up to 10 meters (Class 2) or 100 meters (Class 1). It operates in the 2.4 GHz ISM band using frequency-hopping spread spectrum (FHSS) with 79 channels (1 MHz each) hopping at 1600 hops per second. Bluetooth attacks target the pairing process, service discovery, or data transmission to gain unauthorized access or disrupt communication. The SY0-701 exam focuses on two specific Bluetooth attack types: bluejacking and bluesnarfing.
Bluejacking: Unsolicited Messaging
Bluejacking is the sending of unsolicited messages (often vCards—electronic business cards) to Bluetooth-enabled devices. The attacker does not gain access to data; they simply send a message that appears on the target's screen. The attack works by exploiting the Bluetooth OBEX (Object Exchange) protocol, which is used for exchanging files and vCards. The attacker creates a vCard with a message in the "name" field, then uses the OBEX Push Profile to send it to any discoverable device within range. The target sees a prompt asking whether to accept the contact; if they accept, the message is displayed. Bluejacking is often considered more of a nuisance than a security threat, but it can be used for social engineering or phishing. On the exam, bluejacking is defined as an attack that sends unsolicited messages but does not involve data theft.
Bluesnarfing: Unauthorized Data Access
Bluesnarfing is a more severe attack where the attacker gains unauthorized access to data on a Bluetooth device—contacts, messages, call logs, calendar entries, and sometimes files. This attack exploits vulnerabilities in the OBEX Push Profile or the Bluetooth stack itself. The attacker uses tools like Bluediving or BTCrack to brute-force the pairing PIN or bypass authentication entirely. Once connected, they can pull data using OBEX GET requests. Bluesnarfing typically requires the target device to be in discoverable mode, but some advanced techniques can work against non-discoverable devices by scanning for known Bluetooth addresses. The attack does not require user interaction; the attacker can silently copy data if the device is vulnerable. Common CVEs include CVE-2003-1495 (Bluetooth PIN bypass) and CVE-2008-2005 (OBEX memory corruption). On the exam, bluesnarfing is distinguished from bluejacking by the theft of data.
How Bluetooth Attacks Work Mechanically
Discovery: The attacker scans for Bluetooth devices using tools like hcitool scan (Linux) or BluetoothView (Windows). The target device must be in discoverable mode (default on many devices). The scan returns the device's Bluetooth address (BD_ADDR), name, and supported profiles.
Service Enumeration: The attacker uses sdptool browse <BD_ADDR> to list available services (e.g., OBEX Object Push, File Transfer, Serial Port). This reveals potential attack vectors.
Exploitation:
- For bluejacking: The attacker uses obexftp or a custom script to send a vCard with a malicious message via OBEX Push. Example command:
obexftp -b <BD_ADDR> -p malicious.vcf - For bluesnarfing: The attacker uses a tool like bluesnarfer to connect and download data. Example:
bluesnarfer -r 1 -b <BD_ADDR> -d phonebookThis exploits the OBEX profile to read the phonebook without authentication.
Key Components and Variants
OBEX (Object Exchange): A protocol for exchanging objects (vCards, files) over Bluetooth. It operates over RFCOMM (serial port emulation) on channel 3 (for OBEX Push). The protocol is used by both bluejacking and bluesnarfing.
Bluetooth Profiles: Sets of capabilities that define how devices communicate. The OBEX Push Profile (OPP) and File Transfer Profile (FTP) are commonly targeted. The Serial Port Profile (SPP) can also be exploited.
Bluetooth Address (BD_ADDR): A 48-bit unique identifier (like a MAC address) for each Bluetooth device. Attackers use it to target specific devices. The address can be changed via software (spoofed) to evade detection.
Pairing and Bonding: Pairing establishes a shared secret (link key) for encrypted communication. The default PIN for pairing is often "0000" or "1234". Bluesnarfing often bypasses pairing entirely by exploiting flaws in the Bluetooth stack.
How Attackers Exploit Bluetooth
Attackers typically use off-the-shelf tools like: - Bluediving: A suite of Bluetooth attack tools for discovery, service enumeration, and exploitation. - BTCrack: A PIN brute-forcer that captures pairing packets and tries common PINs. - BlueBug: Exploits a vulnerability in the Bluetooth stack to gain remote access to AT commands (e.g., send SMS, make calls). - Bluetooth Pineapple: A rogue Bluetooth access point that can intercept connections.
Attackers may also use a Raspberry Pi with a Bluetooth dongle to carry out attacks from a distance (up to 100m with Class 1 radios). They can automate scanning and exploitation using scripts.
Defenses and Countermeasures
Disable Bluetooth when not in use: The most effective defense. If Bluetooth is off, no attack is possible.
Set device to non-discoverable: Prevents scanning but does not prevent attacks against known BD_ADDRs.
Use strong PINs (8+ digits random): Makes brute-forcing more difficult.
Enable encryption and authentication: Ensure pairing requires user confirmation and uses secure simple pairing (SSP) with numeric comparison or passkey entry.
Update firmware: Vendors patch Bluetooth stack vulnerabilities (e.g., CVE-2019-2102 on Android).
Use Bluetooth firewalls: Some enterprise tools (e.g., BlueFire Mobile Security) can block suspicious Bluetooth connections.
Enterprise policy: Ban personal Bluetooth devices in sensitive areas or enforce configuration profiles (e.g., MDM settings that disable Bluetooth).
Exam-Specific Details
SY0-701 tests the ability to:
Distinguish between bluejacking (message only) and bluesnarfing (data theft).
Identify that bluejacking uses OBEX Push to send vCards.
Recognize that bluesnarfing can occur without pairing if the device is vulnerable.
Recommend mitigation: disable discoverable mode, use strong PINs, update firmware.
Understand that Bluetooth attacks are limited by range (typically 10m for Class 2).
Trap: The exam may describe a scenario where an attacker sends a message and then steals data. The correct answer is bluesnarfing if data theft occurs, even if initial contact was via bluejacking. Another trap: candidates confuse bluesnarfing with BlueBorne (a set of vulnerabilities that allow remote code execution over Bluetooth). BlueBorne is a separate attack vector not specifically tested in SY0-701.
Bluetooth Device Discovery
The attacker initiates a Bluetooth scan to find discoverable devices within range. Using a tool like `hcitool scan` on Linux, the attacker sends inquiry requests. Any device in discoverable mode responds with its BD_ADDR and name. The scan may also reveal the device class (e.g., phone, computer). The attacker logs all discovered devices. In a SOC scenario, a wireless intrusion detection system (WIDS) might log these inquiry requests as Bluetooth scanning events. A common mistake is to assume that non-discoverable devices are invisible; they are not—they still respond to directed inquiries if the attacker knows the BD_ADDR.
Service Enumeration
After identifying a target, the attacker uses `sdptool browse <BD_ADDR>` to list all Bluetooth services offered by the device. This reveals which profiles are active, such as OBEX Object Push (OPP), File Transfer (FTP), or Serial Port (SPP). The attacker looks for OPP or FTP to launch bluejacking or bluesnarfing. If the device has no exploitable services, the attacker moves on. In an enterprise, a Bluetooth scanner like `btmon` can log SDP queries, alerting administrators to reconnaissance activity.
Bluejacking: Send Unsolicited Message
For bluejacking, the attacker crafts a vCard (`.vcf` file) with a message in the contact name field. Using `obexftp` or a similar tool, they push the vCard to the target via OBEX Push. The target's device prompts the user to accept or reject the incoming contact. If accepted, the message is displayed. The attacker does not gain access to data. In a SOC, this might appear as a user reporting a strange contact request. The correct response is to advise users to reject unknown contacts and disable discoverable mode.
Bluesnarfing: Unauthorized Data Access
For bluesnarfing, the attacker exploits a vulnerability in the OBEX service to connect without pairing. Using a tool like `bluesnarfer`, they issue OBEX GET requests to retrieve phonebook entries, call logs, or messages. The attack succeeds if the device does not require authentication for OBEX access (common on older devices). The attacker can copy data silently. In a SOC, logs from endpoint detection and response (EDR) might show unusual Bluetooth connections or data transfers. The correct response is to isolate the device, check for data exfiltration, and update the Bluetooth firmware.
Mitigation and Response
After detecting a Bluetooth attack, the first step is to disable Bluetooth on affected devices and switch to non-discoverable mode. For enterprise environments, use mobile device management (MDM) to enforce Bluetooth policies (e.g., disable Bluetooth during work hours). Update device firmware to patch known vulnerabilities. For serious breaches, perform a forensic analysis of Bluetooth logs to determine what data was accessed. A common mistake is to only disable discoverable mode without addressing the underlying vulnerability; attackers can still target known BD_ADDRs.
Scenario 1: Corporate Espionage at a Trade Show
A security engineer at a tech company notices an unusual number of Bluetooth scan events during a trade show. Using a WIDS, they see repeated hcitool scan commands from a laptop within 10 meters of the company booth. The laptop then performs SDP browsing on several employee smartphones that are in discoverable mode. The engineer suspects bluesnarfing. They immediately instruct employees to disable Bluetooth and switch to airplane mode. Later, they find that one employee's phone had its OBEX Push profile open and a vCard was received (bluejacking attempt). The engineer recommends MDM policies to force Bluetooth off during events and to keep devices non-discoverable by default. A common mistake would be to ignore the scan events as background noise; the correct response is to treat any Bluetooth reconnaissance as a potential precursor to data theft.
Scenario 2: Bluesnarfing via a Rogue Bluetooth Access Point
An attacker sets up a Bluetooth Pineapple in a coffee shop to intercept connections. The Pineapple acts as a man-in-the-middle, pairing with devices that attempt to connect to known services. A user's phone auto-connects to the Pineapple thinking it's their car's hands-free system. The attacker then uses bluesnarfing to download contacts and call logs. The SOC receives an alert from the user's EDR about an unauthorized Bluetooth file transfer. The analyst checks the Bluetooth logs and sees a connection from an unknown device with a spoofed name. The analyst quarantines the device and resets Bluetooth settings. The correct mitigation is to disable Bluetooth auto-connect features and use a VPN for data in transit. A common mistake is to assume that Bluetooth attacks require physical proximity; the Pineapple can be hidden and operated remotely.
Scenario 3: Insider Threat Using Bluejacking for Phishing
An employee receives a bluejacked vCard that appears to be from IT support, asking them to "click here to verify credentials." The employee accepts the vCard and follows the link, which leads to a phishing site. The SOC detects the phishing site login attempt and correlates it with the Bluetooth event. The analyst identifies the attacker's BD_ADDR from the vCard metadata. The response is to block the BD_ADDR at the network level, reset the employee's credentials, and conduct security awareness training. A common mistake is to treat bluejacking as harmless; it can be a vector for social engineering.
Exactly What SY0-701 Tests
Objective 2.3 (Threats, Vulnerabilities, and Mitigations) includes Bluetooth attacks under wireless threats. The exam expects you to:
Differentiate between bluejacking (sending unsolicited messages) and bluesnarfing (unauthorized data access).
Identify the protocol used: OBEX Push (for bluejacking) and OBEX File Transfer (for bluesnarfing).
Recommend mitigations: disable discoverable mode, use strong PINs, update firmware, disable Bluetooth when not in use.
Recognize that bluesnarfing is more severe because it involves data theft.
Common Wrong Answers and Why
"Bluejacking is a form of data theft" – Wrong. Bluejacking only sends messages; no data is taken. Candidates confuse the two because both use OBEX.
"Bluesnarfing requires physical contact" – Wrong. Bluesnarfing works within Bluetooth range (up to 100m for Class 1). Candidates think of NFC or physical access.
"Disabling discoverable mode completely prevents attacks" – Wrong. It prevents scanning but not directed attacks if the BD_ADDR is known. Candidates overestimate this mitigation.
"Bluetooth attacks are only possible on older devices" – Wrong. Newer devices can be vulnerable if not patched (e.g., CVE-2023-45866 on Android). Candidates assume legacy vulnerabilities.
Key Terms and Acronyms
BD_ADDR: Bluetooth Device Address (48-bit MAC).
OBEX: Object Exchange protocol.
OPP: OBEX Push Profile.
FTP: File Transfer Profile.
SSP: Secure Simple Pairing.
CVE: Common Vulnerabilities and Exposures (e.g., CVE-2003-1495).
Trick Questions
A scenario describes an attacker sending a vCard with a message. The answer is bluejacking, even if the message contains a malicious link. The attack type is defined by the mechanism, not the payload.
A scenario says an attacker copies contacts without pairing. The answer is bluesnarfing, not bluejacking. Candidates might choose "pairing bypass" but bluesnarfing is the specific attack.
Decision Rule
When given a Bluetooth attack scenario: Ask "Does the attacker access or steal data?" If yes → bluesnarfing. If no → bluejacking. Then ask "What is the mitigation?" → disable discoverable mode or Bluetooth.
Bluejacking sends unsolicited messages via OBEX Push; no data theft.
Bluesnarfing steals data via OBEX File Transfer or direct OBEX access.
Both attacks typically require the target device to be in discoverable mode.
Bluetooth attacks are limited by range: Class 2 (10m), Class 1 (100m).
Mitigations: disable Bluetooth when not in use, set to non-discoverable, use strong PINs, update firmware.
The SY0-701 exam tests the ability to distinguish between bluejacking and bluesnarfing in scenario questions.
Bluesnarfing can occur without pairing if the device has unauthenticated OBEX services.
These come up on the exam all the time. Here's how to tell them apart.
Bluejacking
Sends unsolicited messages (vCards) via OBEX Push
No data theft occurs
Requires user to accept the vCard
Considered a nuisance attack
Mitigation: reject unknown vCards, disable discoverable mode
Bluesnarfing
Steals data (contacts, messages, call logs) via OBEX GET
Involves unauthorized data access
May not require user interaction (exploits vulnerabilities)
Considered a serious security breach
Mitigation: disable Bluetooth, update firmware, use strong pairing
Mistake
Bluejacking and bluesnarfing are the same thing.
Correct
They are distinct: bluejacking sends unsolicited messages without data theft; bluesnarfing steals data (contacts, messages, etc.). Both use OBEX but for different purposes.
Mistake
Bluetooth attacks require the target to accept a pairing request.
Correct
Bluesnarfing can exploit vulnerabilities to access data without pairing or user interaction. Bluejacking requires the user to accept a vCard, but no pairing is needed.
Mistake
Setting a device to non-discoverable mode makes it immune to Bluetooth attacks.
Correct
Non-discoverable mode prevents scanning but does not prevent directed attacks if the attacker knows the BD_ADDR (e.g., from a previous connection or brute-force).
Mistake
Bluetooth attacks only work on old devices with Bluetooth 2.0 or earlier.
Correct
Newer devices can be vulnerable if not patched. For example, CVE-2023-45866 affects Android 4.2.2 through 13, allowing unauthorized OBEX access.
Mistake
Bluetooth attacks have a very short range (less than 1 meter).
Correct
Class 2 Bluetooth (common in phones) has a range of about 10 meters; Class 1 can reach 100 meters. Attackers can use directional antennas to extend range.
Bluejacking is the sending of unsolicited messages (vCards) to Bluetooth devices; it does not involve data theft. Bluesnarfing is the unauthorized access and theft of data (contacts, messages, etc.) from a Bluetooth device. Both use the OBEX protocol, but bluejacking uses OBEX Push (send), while bluesnarfing uses OBEX GET (retrieve). On the exam, if data is stolen, it's bluesnarfing.
Yes. Many older Bluetooth devices have unauthenticated OBEX services that allow an attacker to connect and download data without pairing. This is a common exam point. The attacker simply uses a tool like `bluesnarfer` to issue OBEX GET requests. Newer devices require authentication, but vulnerabilities (CVEs) can bypass it.
No. It stops casual scanning because the device does not respond to inquiry requests. However, an attacker who knows the device's BD_ADDR (e.g., from a previous connection or by brute-forcing) can still initiate a directed connection. The most effective mitigation is to turn Bluetooth off completely when not in use.
Common tools include `hcitool` and `sdptool` for discovery, `obexftp` for bluejacking (sending vCards), and `bluesnarfer` or `Bluediving` for bluesnarfing (data theft). On the exam, you won't need to remember tool names, but understanding their purpose helps in scenario questions.
Generally, bluejacking is considered a nuisance because it only sends messages and does not steal data. However, it can be used for social engineering (e.g., sending a phishing link). On the exam, bluejacking is less severe than bluesnarfing, but both require mitigation.
Bluetooth devices are classified by power: Class 2 (most phones) has a range of about 10 meters (33 feet); Class 1 (industrial) can reach 100 meters (328 feet). Attackers can use directional antennas to extend range. The exam expects you to know that Bluetooth attacks are short-range compared to Wi-Fi.
The best defense is a combination: (1) Disable Bluetooth on devices that don't need it, (2) Use MDM policies to enforce non-discoverable mode and strong pairing, (3) Keep firmware updated, (4) Educate users not to accept unknown Bluetooth requests, and (5) Monitor for Bluetooth scanning with WIDS.
You've just covered Bluetooth Attacks (Bluejacking, Bluesnarfing) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?