Nowadays we all use Bluetooth on our devices. This allows us to connect to smartwatches, the audio setup in your car, a headset at work, or even keyboards. And that’s where the trouble start. Do you validate every single device you connect to, and disable Bluetooth once you disconnect your device? Probably not, right?!
When you think about this from the perspective of a bad actor, this gives you a lot of interesting opportunities to take advantage of. Now you don’t need physical access to a device in order to connect your Flipper Zero with a cable, but now you only need to trick someone in connecting over Bluetooth.
Installation
First, you need to install the Xtreme firmware (or Flipper-XFW) on your Flipper Zero, but you can find more than enough manuals for that online. The easiest way is to connect your Flipper Zero to your computer, and browse to the installation website and the rest is easy.
For the next steps I also added a custom script called “RickRoll_CMD_Win”, that consists of the content below, saved as text file and uploaded to the Flipper Zero:
GUI r
DELAY 1000
STRING curl http://ascii.live/rick
ENTER
DELAY 1000
REM ALT ENTER
Configuration
With the Xtreme firmware installed on your Flipper Zero, let’s open up the app:
The next step is opening up the payload for further configuration. The default screen looks like this:
By clicking on the left arrow, you go to the configuration. You can select “BT” under “Connection” to use BadKB over Bluetooth instead of via a USB cable. Furthermore, under “BT Device Name” you can tailor the name of the device to your specific use case. For now, I’m just using “BadDevice_Speaker”, but you should use a more realistic name if you want your red team engagement to succeed of course.
Testing
The next step is to connect to your Flipper Zero BadKB to test if it works. When you set the config to use BT, it should show up on other devices:
When you connect your device to the Flipper Zero running BadKB, you will see the screen on your Flipper Zero change as well (the “Connect to a device” is gone):
Now all you need to do is run the payload, and see what happens on screen:
Disclaimer
This post was written with Xtreme firmware version “XFW-0053_02022024” installed, so depending on when you read this things might be working different on your Flipper Zero.
This post is for informational purposes only, and we are not liable for any loss or damage resulting from its use.
Also: don’t be a skiddie, or an a-hole, and stay vigilant!
UPDATE:
As of version 0.100.3 running BadUSB over Bluetooth is also available in the Flipper Zero official firmware.
No responses yet