Data Leak Prevention via Bluetooth Speaker
DLPwn is a Red Team tool designed for file exfiltration to bypass security systems such as EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), DLP (Data Loss Prevention), and more broadly any air-gapped information systems. It uses Bluetooth audio transmission to encode arbitrary files into FLAC audio signals, transmit them, and decode them on the other end, exploiting the fact that audio security controls are often less strict than those on networks or files.
0001-1049.mp4
DLPwn operates in three main steps:
- Encode: Transforms a binary file into a modulated audio signal.
- Catch: Captures the transmitted audio signal via Bluetooth.
- Decode: Reconstructs the original file from the captured signal.
This approach allows exfiltration of sensitive data without triggering alerts from security systems that monitor network connections, disk writes, or suspicious processes.
DLPwn uses an audio transmission protocol based on:
- FSK Modulation (Frequency Shift Keying): Continuous-phase frequency shift keying (CPFSK). By default, 8-FSK with 8 tones (900 Hz to 5100 Hz), allowing 3 bits per symbol at 1500 symbols/second, for an effective bitrate of 4500 bits/second.
- Reed-Solomon Error Correction: Adds 32 parity bytes per 223-byte block, allowing correction of up to 16 errors per block.
- CRC-32 Checksum: Integrity verification of payloads.
- Frame Structure:
- Preamble (3 seconds of alternating bits) for synchronization.
- Sync word (8 bytes = 64 bits).
- RS-encoded payload.
- Postamble (1 second of alternating bits) to avoid Bluetooth cutoffs.
Each file is fragmented into frames of up to 212 bytes, with a metadata frame containing the filename.
DLPwn includes a QoS metrics system to evaluate transmission quality:
- Frame Loss Rate: Percentage of lost or uncorrectable frames.
- Correction Rate: Frames corrected by Reed-Solomon.
- BER (Bit Error Rate): Estimated bit error rate.
- Detailed Report: Comprehensive statistics on errors, corrections, and losses.
This allows optimization of transmission parameters (baud rate, number of tones) based on audio conditions.
pip install -r requirements.txtpython main.py encode myfile.bin --output transmission.flacPlay the FLAC on a Bluetooth speaker, then capture on another machine:
python main.py bluetooth --filename capture.flacNote: Bluetooth Configuration (Linux only)
The bluetooth command only works on Linux systems using PulseAudio or PipeWire for Bluetooth audio capture. For the PC to be recognized as a Bluetooth headset by the source device:
-
Install
bluetoothctlif necessary:sudo apt install bluez-tools
-
Launch
bluetoothctland configure the ClassID to mimic an audio headset:bluetoothctl > power on > discoverable on > pairable on > class 0x240404 # Class for stereo audio headset > quit
This allows the source device (phone, PC) to connect to the PC as a Bluetooth headset, enabling audio capture via PulseAudio.
Or for live capture:
python main.py decode --loopback --duration 35 --output recovered.binpython main.py decode --input capture.flac --output recovered.binTo play, capture, and decode in one command:
python main.py stream transmission.flac --output recovered.bin--baud: Symbol rate (default 1500).--m: Number of FSK tones (2, 4, or 8).--rs-nsym: RS parity bytes (default 32).--f0,--f1: Base frequencies.
To analyze a transmission file:
python diagnose.py transmission.flacIn a Red Team scenario, DLPwn allows:
- Exfiltration of data without network connection.
- Bypassing DLPs that block uploads.
- Evasion of EDRs that monitor network processes.
- Transmission via unsupervised audio channels.
Warning: Use only in authorized environments. Audio transmission can be detected by surrounding cameras or microphones.
- numpy, scipy, soundfile, sounddevice, reedsolo, tqdm
- Noé Susset
- Yassine Damiri