In A NutShell: A tool to take benefit of the MAP Account hijack attack over Bluetooth Classic is called mapAccountHijack.
Affected Version of IOS and Android are as follows:
- Android devices vulnerable to 2-click MAP account takeover attack
- Samsung S23 (Android 14, OneUI 6.1) allows sending an SMS
- Google Pixel 8 (Unknown) has errors while trying to send an SMS message.
- iOS 17.6.1 vulnerable to 1-click MAP account takeover attack (with certain conditions)
- iOS 17.6.1 allows sending an SMS message
What is MAP (Message Access Profile) ?
Device message exchange is controlled by a collection of features and protocols defined by the Message Access Profile (MAP) specification. It is specifically designed for the hands-free use case in automobiles, when a mobile phone or other onboard terminal device is used for using the messaging feature of a communication device (generally a Car-Kit installed in the vehicle). Still, there are other use cases for this profile which use for message exchanges between two devices.
What does mapAccountHijack lead to?
- After making a connection, the attacker attempts to pair with the victim’s smartphone. It may be necessary for the attacker to make up the device’s name or MAC address, but it may not be necessary at all.
- After pairing, the attacker requests MAP authorization—which is not always required! (Typical methods for automobiles, speakers, and smartwatches)
- Next, the program either sends an SMS to the attacker-controlled phone number or analyses the metadata of messages received to obtain the victim’s phone number.
- The attacker automatically finds more useful information, like email addresses or login names, by using the phone number in the OSINT flow.
- Then, for a service of interest, the other party starts an SMS-based OTP.
- The victim’s phone receives the SMS-based OTP.
- The device collects the OTP and sends it to the attacker.
- A malicious party takes over the account.
What Is mapAccountHijack Tool ?
The tool mapAccountHijack was created to perform a MAP Account hijack attack. It does this by taking benefit of Bluetooth Classic’s Message Access Profile (MAP), which allows for the stealing of MFA and OTPs. This results in the successful hijacking of accounts on services that require SMS OTPs for recovery or login. Tool may send and receive SMS messages and leak emails and phone numbers.
The attack is effective on the most recent versions of both Android and iOS smartphones (Samsung, Google Pixel, iPhone), and the tool is highly useful for red teaming, penetration testing, bug bounty hunting, and security research.
Furthermore, the tool makes the victim’s phone number public by forcing the victim’s smartphone to send an SMS to an attacker-controlled phone number or by obtaining information from previously received SMS messages. It helps in intercepting, stealing, and forwarding SMS messages and phone numbers. It may also be used as a Proof of Concept for Bluetooth Classic attacks or as part of account hijacking methods.
Attack Effect on Android
Google is increasing security and fixing the issue. In general, Android devices are vulnerable to account takeovers with just two clicks. When an attacker connects to a device that has NoInputNoOutput capabilities, the victim will see the following messages, which are meant to make the attack appear quiet.
Attack Effects On iOS
As of the most recent iOS release, this bug is unfixed and will not be fixed. Only when another device is linked with an iOS device and has Notifications (MAP) permissions do iOS devices become vulnerable. This attack is a one-click account takeover.The attack is simple in and of itself:
A Small Guide On The Tool
Use the following commands to install:
sudo apt-get install python3-venvgit clone https://github.com/sgxgsx/mapAccountHijack.gitcd mapAccountHijackpython3 -m venv .venvsource .venv/bin/activatechmod +x install.shsudo ./install.sh
Modify the settings for /usr/lib/systemd/system/bluetooth.service:
sudo vim /usr/lib/systemd/system/bluetooth.service
And give ExecStart –compat.
ExecStart=/usr/libexec/bluetooth/bluetoothd --compat
Restart bluetoothd
sudo service bluetooth stop
sudo systemctl daemon-reload
sudo service bluetooth start
sudo hciconfig -a hci0 reset
Usage Manual
Prior to use, activate the tool’s virtual environment:
source ${tool_installation_path}/.venv/bin/activate
To see the help information, run the following command:
python3 mapAccountHijack.py --help
Output: usage: mapAccountHijack.py [-h] --address ADDRESS --dest-dir DEST_DIR [--phone-number PHONE_NUMBER] [--sms-content SMS_CONTENT] [--backend BACKEND]
Map Account Hijack
options:
-h, --help show this help message and exit
--address ADDRESS MAC address of the target device
--dest-dir DEST_DIR Destination directory, local, required
--phone-number PHONE_NUMBER
Phone number. If provided an SMS message will be sent to leak the phone number of a victim
--sms-content SMS_CONTENT
SMS content, reserved for future functionality
--backend BACKEND Backend URL to relay information, if not provided the relay will not happen
