Headsets Hijacking

Kevin Finisterre, 2005

El ataque Car Whisperer también afecta a dispositivos Manos Libres Auriculares, ya que, del mismo modo que los dispositivos Manos Libres de automóvil, incorporan la vulnerabilidad del código de seguridad Bluetooth (clave PIN) por defecto. Cualquier atacante podría emparejarse con el dispositivo Manos Libres Auriculares y acceder a sus funciones de audio:

• Capturar el audio recogido por el micrófono del dispositivo.
  
  
  
  
• Inyectar audio que sería reproducido por el auricular.
  
  
  
  

En algunos modelos vulnerables incluso es posible cortar una conversación telefónica en curso e inyectar audio, para sorpresa del usuario.

Headset Attack Demo At SANS NS2007 Las Vegas

Monday, October 8, 2007

At the SANS NS2007 conference in Las Vegas last week I demonstrated a live attack against a Bluetooth headset. Worn by Ed Skoudis (thanks Ed!), I was able to inject audio into the headset and record everything the wearer said.

The screenshot above is a sample from the GNURadio usrp-oscope tool in the gr-utils package. In order to demodulate Bluetooth using the gr-bluetooth stack, it is necessary to identify the correct gain to use, where the Bluetooth signal appears similar to that shown in this image. Note the use of the letter “G” following 2.432 for center frequency.

I’ve done limited testing with different headsets, but I have been successful against all targets, including headsets from JawBone, Motorola and Jabra. The JawBone headset is interesting in that it accepts pairing requests even when it is not in discoverable mode, making it the easiest to attack. Motorola and Jabra do not accept pairing from unknown addresses unless they are in discoverable mode, but they do accept pairing from a device that they have previously paired with, even if the link key is incorrect for the session. This allows an attacker to impersonate the BD_ADDR of the phone before attempting to connect to the headset to get around this design characteristic. Currently, gr-bluetooth does not attempt to recover the BD_ADDR of the slave (the phone), so this is largely a theoretical attack until I get around to adding that functionality to gr-bluetooth.

The demo was probably the most complex I’ve done before, but thankfully it all worked out. I’ve posted some resources on this page. Thanks to everyone who came out!

Presentation Materials

1. •Presentation; in PDF format, with notes
   

2. •Injected audio file I played into the headset (converted to MP3 format)
   

Software/Files

1. •Linux BTScanner source
   

2. •Patch I wrote for BTScanner to brute-force the BD_ADDR from LAP
   

3. •List of valid OUI’s for Bluetooth devices from BNAP, BNAP project
   

4. •gr-bluetooth GNURadio software written by Dominic Spill
   

5. •GNURadio project home page
   

Hardware

1. •Universal Software Radio Peripheral; I used the RFX2400 daughter card
   

2. •Modified Linksys USBBT100 dongle for external antenna connector
   

3. •N-connector pigtail soldered onto USBBT100; I cut off the MMCX connector and soldered onto USBBT100, instructions are here
   

4. •Panel directional antenna connected to USBBT100
   

5. •Random array of other dongles used for BTScanner to discover undiscoverable headset
   

6. •Target: JawBone headset