As more and more days past legislation prohibiting the use of cellphone in cars. Many uses to turning Bluetooth headsets like this one to use hands free in there cars.
What many consumers do not know is that Bluetooth technology can be exploited allowing a remote attacker to capture the Bluetooth conversation including injecting arbitrary audio into the Bluetooth headset.
My name is Joshua Wright. I am going to demonstrate an attack where we can remotely capture and inject audio on a Bluetooth headset.
A lot of people believe that Bluetooth technology is limited to short range only 10 meters. Unfortunately, that is not true. Bluetooth technology can be extended to well over a mile when equipped with the appropriate equipment.
What I have done here is taken a standard Bluetooth dangle and modified it to connect to an external antenna. I am using a 9DBI game patch directional antenna which I am going to point at the Starbucks behind me.
In order to stay inconspicuous, I have place the antenna in my laptop in my bag here pointed on my hip to the store behind me. I am going to control it remotely, using my Nokia 770 hand held over a wilds connection. This gives me the ability to do the attack while still look like I have got a reason to be standing here.
I am using a standard Linux work station and you can see I have configure my Bluetooth stock within a fault pin value of “0000”. This matches with a fault pin used on most Bluetooth headset devices. I also have a Bluetooth dangle connected to my laptop and if we take a look at the class information we could see that by the fault is characterized as part of the computer class.
We are going to change this information so that any remote device thinks that we are actually a Bluetooth phone. So, I change the class information to reflect that I am actually a cellular phone instead of a computer device. This is important because many Bluetooth headset would reject connection from anything other than phone Bluetooth devices.
In order to mouth the attack, I am going to use the car whisperer tool. Now, I am not actually sniffing on an active Bluetooth conversation, instead I am going to connect to the Bluetooth headset when it is not in an active call and I am going to use a microphone to record any audio that is within range of the pick up of that microphone including anything that is spoken by the person wearing the headset.
I can also optionally inject arbitrary audio into the headset as well. I am going to run the car whisperer tool specify my Bluetooth interface. Here is the file that I am going to play for that person. I am going to save the contents in another file and here is the BD add that device that I am targeting.
Now, I have connected to the remote system and I am recording implanting audio to the Bluetooth headset device.
(Demonstration)
It just goes to show that you can not trust a security of a Bluetooth headset when the only authentication requirement is a fix pin value of “0000”. These allow our remote attacker to eavesdrop in your Bluetooth conversation and inject arbitrary audio into the headset.
If you have enjoyed this segment, I encourage you to check out my wireless security class with this institute. My name is Joshua Wright, thanks for viewing.
Transcription by:
Scribe4you Transcription Services