3

I have a JBL Go bluetooth speaker paired with a Dell laptop running Ubuntu 17.10.

I suspect malicious intermittent activity on that speaker, but I am not sure and I am looking for proof or evidence it has been or not hacked.

For example, some months ago, I let it on by mistaking while I was away, and on my return, it was playing some sort of alarm sound. I thought it was misbehaving. But I don't know for sure. Now, it is making strange noise, not related to the tune it is playing.

I am looking at the log of bluetoothd on the laptop, and all I can see is the ready status of an already paired device.

Can I get more information, like dissassociation, repairing, reassociation, whatever ... ?

Will a MITM bluetooth attack ever leave traces in my log ?

Is there a setup that I can put in place to check for the possible hack ? How ?

P.S. I will run bluetoothd with debug info turned on, if it helps, but ...

P.P.S Those speakers come with a built-in microphone.

solsTiCe
  • 201
  • 2
  • 8
  • 3
    A MITM against a Bluetooth speaker is not "hacking" it. Most likely, the speaker is just bugging out. It's not uncommon for this to happen with crappy speakers. No reason to suspect compromise with the indicators you have presented. – forest Apr 17 '18 at 09:52
  • When you see this you can be sure it has been hacked https://www.youtube.com/watch?v=dQw4w9WgXcQ – DaGhostman Dimitrov Apr 17 '18 at 11:32
  • I just run a scan with "BlueBorne Vulnerability Scanner by Armis" and I got a completly surprising result. JBL Go speaker that never got a firmware update is rated **Low risk** while the **up-to-date** ubuntu laptop is rated **Medium risk**. Why is that ? – solsTiCe Apr 17 '18 at 13:47
  • That sounds like a great idea for a separate question, versus burying extended discussion in the comments here. – dwizum Apr 17 '18 at 14:08

1 Answers1

2

You can try to determine if someone else is logging into your laptop to play music. Using the command 

sudo less /var/log/auth.log

and/or simply 

last

will show you users who have logged on. Auth.log is privileged so you need to be root/use sudo to view it. From there you can determine if you were home and logged in at that time to see if someone has taken control of your Dell laptop. A note from the comments: if you think your computer may be seriously compromised, running sudo could give the attacker your password (if they don't already have it).

You can monitor the Bluetooth pairing history on your laptop as well using

cat /var/log/syslog | grep blue

That command opens the syslog file and searches for the word "blue" to see logs containing "bluetooth". That should show you pairing history. This is assuming a hacker may have broken into your laptop to play these sounds.

As for logs on the speaker itself, I doubt it would keep any and I doubt you'd be able to access them if it did. It's important to note that Bluetooth can only be active from one host at a time, so if someone is hijacking your Bluetooth connection, it would necessarily invalidate your pairing. If your connection has been hacked, you would need to reconnect your laptop to the speaker.

Some important questions for you (you don't necessarily need to answer them here, just something to think about):

  1. How far away is your nearest neighbor? Bluetooth only has a range of 30 meters (100 feet) line of sight; less if it has to travel through a wall. In an apartment/flat you might run into this problem, less likely if you live in a detached house.

  2. Have you ever had to reconnect your Bluetooth speaker to your laptop when it hasn't been unpaired? This doesn't necessarily mean it's been hacked, Bluetooth is notoriously unreliable, but it's one thing to consider.

  3. Do you have to push a button on your Bluetooth speaker to get it to pair with your laptop? If you do, it's very unlikely it's been hacked unless the hacker has physical access to your speaker. Possible, sure... but very unlikely.

IMO, the more likely answer is that Bluetooth is unreliable and speakers can easily pick up interference. But you should run through the above questions just to be sure.

freehunter
  • 621
  • 4
  • 5
  • 1
    Using a potentially hacked computer to investigate if itself is hacked is a fundamentally flawed idea. – AndrolGenhald Apr 17 '18 at 15:06
  • True but unless those logs are already offloaded to a central log repository, there's not a whole lot of other options to look back through history. I made an assumption that the asker isn't using centralized authentication like Active Directory/LDAP. – freehunter Apr 17 '18 at 15:09
  • 1
    Recommending a 'sudo' command to begin your system investigation is also a Bad Idea, and including the statement "You can determine if the laptop has been hacked" is wrong-headed and misleading. – jth Apr 17 '18 at 15:10
  • I guess it depends on the sophistication of the potential hacker in question. Theoretically anything short of calling in Mandiant and notifying the Secret Service is a lackluster response to potentially being hacked. If you just want to determine if someone has stolen your credentials and is using them to log in over the network, I think it's a perfectly fine response. If you think we're dealing with state-sponsored actors, then you should call the FBI. – freehunter Apr 17 '18 at 15:17
  • Regardless I did take those comments into effect in my edit. It no longer says "you can determine if you've been hacked" because you're right. That was wrong wording. – freehunter Apr 17 '18 at 15:24
  • `less` can be made to run arbitrary commands specified in environmental variables (e.g. with `LESSOPEN`). Running it on a potentially compromised machine as root is an extremely foolish thing to do. – forest Apr 18 '18 at 03:19
  • Also, `cat /var/log/syslog | grep blue` is a [useless use of cat](http://porkmail.org/era/unix/award.html). You should instead use `grep -i blue /var/log/syslog` (with the `-i` to be case insensitive). – forest Apr 18 '18 at 04:29
  • So I'm seeing a lot of reasons why my answer is wrong, but not a lot of recommendations on what to do right. Do you have any suggestions, or is calling Mandiant and the FBI the only option here. – freehunter Apr 18 '18 at 14:52