Forgot your password?
typodupeerror
Hardware Hacking

Injecting Audio Into Insecure Bluetooth Handsets 222

Posted by CmdrTaco
from the thats-just-scary-stuff dept.
vandon writes "Linux hackers have demonstrated a way to inject or record audio signals from passing cars running insecure Bluetooth hands-free units. The Trifinite group showed how hackers could eavesdrop on passing motorists using a directional antenna and a Linux Laptop running a tool it has developed called Car Whisperer."
This discussion has been archived. No new comments can be posted.

Injecting Audio Into Insecure Bluetooth Handsets

Comments Filter:
  • I wonder how many government officials in DC using insecured headsets will be caught off-guard by this?
    • Re:Top secret info (Score:3, Interesting)

      by stecoop (759508) *
      Zero.

      Your title Top Secret info, then anyone that has that kind of clearance know that you cant talk on an unsecured line in an unsecured environment. If you mean getting caught talking nasty to your intern on a cell phone then all bets are off.
      • If you mean getting caught talking nasty to your intern on a cell phone then all bets are off. thank god you saw the hidden meaning :P
      • Re:Top secret info (Score:5, Insightful)

        by Doc Ruby (173196) on Wednesday August 03, 2005 @11:44AM (#13230913) Homepage Journal
        Yes, of course everyone with Top Secret clearance is absolutely discreet with the info they handle [google.com].

        Everyone knows that "government employee" == "perfectly competent".
        • Do you think a simple goverment employee will risk 20 years in bang me in the a$$ federal prison talking to a girlfriend about this cool laser they they're working on that happens to be attached to a shark.

          No if there is a leak, odds are it is a way to flush out moles or some covert attempt to see where the information is going and how the public reacts to it (aka more money for some security agency).
          • If you base your sensibility of government secret keeping on movies, maybe you're right. But in reality, government secret keepers breach protocol all the time. As you'd see if you looked at any of the links I pointed to in my post. Karl Rove's disclosure/confirmation of Valerie Plame's secret CIA/WMD agent status was not made to a reporter over a secure line. Whoever gave Rove the info did not stick to security protocols. If you're paying attention, you know that government security leaks are often, if not
            • I think you typed the reply fast. Are you saying that the government is conspiring against it's self or that the security agencies unwarrantedly and illegally monitor communication channels? (yes I can read it but I am trying to get your core message)

              Either way when you talk about high-ranking politicians, there are different rules to play by - they're mistakes are cover-ups. As for some goofy shmuck getting caught releasing government secrets via a blue tooth line is someone you'll never hear about again.
              • I reread my post, and I don't see what's confusing or unclear. "The government" isn't a single entity. It's lots of people, some more sync'ed with each other than are others. Competition, to some degree, is built into most parts of it. So leaks, and "fake leaks" (disinformation) are used all the time to accomplish political goals. That's how "the government is conspiring against itself". One very serious recent example is the Senate Republicans on the Judiciary committee spying on the Senate Judiciary Democ
    • ...and then Congress will pass a knee-jerk law banning Bluetooth.
    • Notice, The Car Whisperer has been declared a Terrorist tool. Anyone found to be downloading, using or reading about the Car Whisperer will be prosecuted for the commission of Terrorist Acts.
    • According to a buddy I have who works for DISA, the spooks have been able to remotely monitor secured bluetooth hedsets via a PCMCIA device in a laptop that decrypts the conversation in real time for quite a while.
  • by flatface (611167) <flatface @ g m a i l.com> on Wednesday August 03, 2005 @10:31AM (#13230312)
    "Yes we all can."
  • it is afterall a device using homebrew crypto.

    If they had a proper AES-CCM or GCM core in there the channel would not only be private but authenticated.

    Instead they opt for some homebrew crypto design that amazingly enough is not secure.

    Tom
    • Re:cool but also meh (Score:4, Informative)

      by POPE Mad Mitch (73632) on Wednesday August 03, 2005 @11:04AM (#13230560) Homepage
      This is not a weakness in the protocol or the crypto used. Its about manufacturers cutting corners.

      This works on devices which do not need to be put into a special mode to be paired, and which are using a fixed same-for-every-unit pairing password.

      this software just requests a pairing with every handsfree device it sees, and tries the standard password. If the device had bothered to need physical confirmation for pairing (like any decent headset) or used a random printed-on-the-box password then this wouldnt be happening.

      this also isnt about just listening in on other peoples phone conversations, its about listening to ANY conversation, as once you have paired with the device, if it is for example an in car hands free device, you can turn on the microphone and listen to anything said in the car cabin.
    • This particular toool relies on guessed or known keys, so the crytpo and a more associativity scheme don't make any difference (in this case).

  • Record music! And these unsuspecting drivers could run afoul of the RIAA while the pirates who illegally recorded the Intellectual Property would get away scot free!

    Madness I tells ya!

  • by up2ng (110551)
    Standing on a overpass speaking to a passing car, "Hey you! Look out for that tree" or "Kent, This is God, Stop Touching That !"

    Childhood stuff never gets old
    • Standing on a overpass speaking to a passing car, "Hey you! Look out for that tree" or "Kent, This is God, Stop Touching That !"

      You know, that joke isn't new: I remember reading about a bunch of kids in Europe who went on an overpass with a small FM transmitter, tuned it to the local "highway traffic info" channel (above 107.0 FM or something) and started reporting a "major accident, extreme caution advised at mile marker such-and-such, you're required to slow down immediately" etc etc... in order to cause
    • Instead of a joke, you can comment on the driving of that person -- "If you want to site see, get off the damn road!" Or "if you want to talk on the phone and drive, make sure that you have a functioning synapse."
      • I admit it, I'm confused/amused by the fact that your username is a url, and yet isn't the same as the webpage you choose to list below your name. Good for you.
  • by Zweideutig (900045)
    Have proper encryption between hand set and the transmitter/receiver. This may make hand sets more expensive, as a small computer in both the headset and the transmitter/receiver unit would be required, but it should eliminate this problem.
    • You're kidding right? Crypto can be done in hardware as well....

      Disclaimer: I work for soft-core crypto company ;-)

      Granted an embedded ARM could do crypto too, an embedded GCM core could do it with less power/area usage.

      And since you only need kbps not gbps the clockrate is very low reducing the area, etc...

      Tom
      • by karnal (22275) on Wednesday August 03, 2005 @11:19AM (#13230664)
        Disclaimer: I work for soft-core crypto company ;-)

        So does that mean you work for the "Spice Channel" of the Crypto industry??? :)
      • This may make hand sets more expensive, as a small computer in both the headset and the transmitter/receiver unit would be required, but it should eliminate this problem.

        You're kidding right? Crypto can be done in hardware as well....(snip)..an embedded ARM could do crypto too, an embedded GCM core could

        You realize that both of your counter-examples actually are small computers right?
  • Simple Fix (Score:2, Funny)

    by mekkab (133181)
    make Linux illegal.

    Whats the problem? I expect a bill to be passed in the next year.
  • Car Whisperer
    The carwhisperer project intends to sensibilise manufacturers of carkits and other Bluetooth appliances without display and keyboard for the possible security threat evolving from the use of standard passkeys.
    A Bluetooth passkey is used within the pairing process that takes place, when two Bluetooth enabled devices connect for the first time. Besides other public data, the passkey is a secret parameter used in the process that generates and exchanges the so-called link key. In Bluetooth communi
  • by Se7enLC (714730) on Wednesday August 03, 2005 @10:38AM (#13230360) Homepage Journal
    Thank you to the fine people of trifinite.org for not listing off which handsfree devices they found to be secure and which they found to be insecure. Now I guess we'll all just have to wait until we're hacked to find out if we bought the right one.

    These guys seem to be pretending to be doing it for the good of the industry, but their site seems to list a lot of Bluetooth Hacks & Attacks [trifinite.org]. And they didn't seem to have made any effort to contact vendors to get the problem corrected, either.
    • I've seen a demo of these guys "hacking" bluetooth cellular phones at the Linuxtag. Somebody asked which cellular phones are safe. The answer was "Siemens" (unfotunately they don't produce cellular phones any more). Nokia should also be ok. Sony Ericson are the worst in security (if I remember correctly)
      • The Siemens brand will be used by BenQ for the next 5 yrs, much like Lenovo and IBM. SE has BT turned off by default. How can that be poor security?
      • I doubt they used this attack against mobile phones as it's completely useless against them.

        AFAIK most other attacks depend on "bloopers" in the Bluetooth spec. which allow you to pull data from the phone without authenticating. (It's fundamentally a problem that AFAIK no mobile phones have implemented a proper security manager, all just use the static "all on or all off" security which is mandatory.)

        I would imagine that SE phones are "more vunerable" since they actually implement a lot of Bluetooth profile
    • If the problem is with the standard, how else should they proceed? It isnt specific to one manufacturor - the industry has learned NOTHING from the 802.11 mess (wep, etc), and keeps making CRAP

      ostiguy
    • by Technician (215283) on Wednesday August 03, 2005 @01:01PM (#13231727)
      Now I guess we'll all just have to wait until we're hacked to find out if we bought the right one.

      Finish reading the article.. Does you device allow you to enter your own passkey? Does your device allow you to reject connection attempts? If your device has no user interface, then it probably is vunerable.
    • by ezzzD55J (697465) <slashdot5@scum.org> on Wednesday August 03, 2005 @01:28PM (#13231966) Homepage
      These guys seem to be pretending to be doing it for the good of the industry, but their site seems to list a lot of Bluetooth Hacks & Attacks. And they didn't seem to have made any effort to contact vendors to get the problem corrected, either.

      Don't be too tough on them. I saw their demo at WhatTheHack [whatthehack.org] last weekend. After the session I asked which brand to buy for security, and the reply was that Nokia had done a good job of making up for their mess. Also their story at the time was that they test a lot of bluetooth stuff for the industry, working with the industry to find holes before phones go to market (not quite sure of the timing, but I am sure that they cooperate).

    • And they didn't seem to have made any effort to contact vendors to get the problem corrected, either.

      It takes a lot more than one persons website to make a company change a technology that they have spent millions of dollors of R&D and marketing on. Perhaps, thousands of customers complaints or a prominent news article. Not saying what they are doing is right (or wrong), but realistically burden of resolution lies with the company itself if they wish to take action.
  • Acura TL (Score:3, Funny)

    by dcarey (321183) on Wednesday August 03, 2005 @10:39AM (#13230371) Homepage
    I've got an Acura TL. Bluetooth in it of course. So how does one secure a built-in bluetooth system? Take it to my dealer for a virus scan? Drive around a local university trolling for pseudohackers? Bust into the OS, whatever it's running, and slap some Linux distro on it (well the car won't run in that case, but hey, it's a certainly a functional $35,000 Linux Box!)
    • Re:Acura TL (Score:3, Informative)

      by Not_Wiggins (686627)
      The Acura TL (at least, the 2005 model) has a security feature that disables Bluetooth until you want it enabled by speaking the 4 digit code at car start-up. Most drivers have it turned off because it is a pain to enable it everytime you start the car... but if you're that paranoid about someone hacking the bluetooth on your car when you're *not* using it, this feature is easily disabled. Check the HandsFreeLink section of your owners manual.
      • I have paired a phone, but I did not know about the disabling feature. Seeing as though I have to enable to phone to be discoverable anyway by pressing a couple of buttons when I enter the car (after a minute of no communication from the car, the phone turns the bluetooth off), it would not be a pain for me to use the enable/disable step you mentioned. Better safe than sorry -- and thanks for the tip!
  • by blueZ3 (744446) on Wednesday August 03, 2005 @10:41AM (#13230392) Homepage
    some yuppie soccer mom discussing her kid's brilliant school career with grandma.

    Count me out on the "evesdropping on car phone conversations," thanks. :o)
  • butt set (Score:3, Funny)

    by vinn (4370) on Wednesday August 03, 2005 @10:46AM (#13230430) Homepage Journal
    When it comes to eavesdropping, I prefer my method of butt sets on 66 blocks. It doesn't require as much thought.
  • From what i understand of the article, your bluetooth device must be explicitly set to the pairing/discoverable mode. This is not on by default

    On my Jabra BT800 headset, i have to push a recessed button to bring the device to this mode. After the headset is paired, it is no longer discoverable, nor does it accept parings from other devices.

    • Yes, while this is true of Jabra headsets, it might not be true of the Crapposan you bought from Taiwan off eBay.

      I guess there must be some headsets out there that are always in a state ready to be paired, or this attack would never work.
      • Well I'm wondering if it ever does work. As timgoh0 says, you have to put the device into pairing mode. I work in telecoms, and I've never seen a BT handsfree that didn't have to be expressly put into pairing mode. Since BT is supported by a small number of bought-in chips, it seems unlikely that even a Crapposan Mk13 would differ from this behaviour. Secondly, pairing is what it says - it joins a pair of devices. Normally a BT handsfree will only support one handset at a time, and the cheap ones will only
    • i have a jabra bt200 and will do some experiments with it someday.
      anyway. yesterday as i was sitting on a bus on the way home from drumming school, i disconnected my phone from the bt200 so that i can do a scan for other devices and i found another phone (named "Hayat", no idea what that stands for). i tried to connect to it loads of times with passkey 0000, and most of the time it just said bluetooth connection error. once though it was passkey mismatch, so i guess the phone asked the guy the passkey. wh
  • I used to do this with cordless telephones (the kind that plugs into your landline).. they ran unencrypted on 43-46Mhz and 900Mhz bands for years.

    Lets just say I got to know my neighbors very well.

    (If you have a cordless phone and are wondering if its secure.. make sure it has "spread spectrum" technology)
  • It'd be a lot more convenient if they could hear my shouts of "it's the passing lane, not the fast lane!" and "use your d@mn turn signals!"

    Better driving through feedback!
    • I'm with you 100% on that. Living in South Florida I get to see the crème de la crème of automobile operation every day. Right turns from the left hand lane, left turns from the right hand lane are a daily occurrence. If I'm extra lucky they _might_ use their turn signal first. People swerving from lane to lane as they talk on their cell phones, eating breakfast whilst doing their makeup.

      A friend told me a story from when he was a truck driver. He was in the middle of three lanes waiting at a
  • by Kainaw (676073) on Wednesday August 03, 2005 @10:58AM (#13230509) Homepage Journal
    I would like this if it is was more than just cars. I'd like to sit outside WalMart and force audio into all the idiots walking around with their bluetooth cell phone earbuds permanently stuck in their ear.
    • Broadcast Ping (Score:2, Interesting)

      by woodsrunner (746751)
      That would be fun! I am sure WalMart would like that power to direct their shoppers to the latest thing they are trying to flog.

      I have always wanted a way to do a broadcast ping of all the local cellphones to get them all to ring at once. I bet theatres would like a device that could do this in order to get patrons to turn off their ringers before shows start.
    • You just sold me on buying one just to wear at WalMart.

      Just so I can piss you off further.

      But seriously, why does this upset you? I know I've seen people with the earpiece in, and while I think it's a little silly - especially since they're not on a call, it's just an earpiece.

      • But seriously, why does this upset you?

        I never said it upset me in any way. I just like abusing idiots. It is the same reason that go around the office at night after everyone leaves and mess with their computers if they leave them both turned on and logged in until the next morning. I need to rewrite an old Win95 program that made the icons move away from the mouse, so you have to trap them in the corner to click on them. Replacing desktops with screenshots of their desktop is getting old.
  • Not only will we now see adverts along the freeway, but now the advertisers will be able to play audio jingles or just some subliminal sounds like a soft drink can being opened and the drink fizzing while it's being poured into the glass.

    Although, there could be practical applications. There were some conceptual projects where cars were able to determine the location of each other using RF communications. The idea of this was to prevent crashes during times of restricted visibility (fog, blizzards). And hav
  • Exactly why does the headline mention Linux? This project could have been done on any operating system. It makes as much sense to mention linux here as it does the model keyboard they were using to type.

    / note to zealot moderators: this is as much a COMPLIMENT to linux as anything else.

  • Good (Score:3, Funny)

    by wickedj (652189) on Wednesday August 03, 2005 @12:02PM (#13231103) Homepage
    Maybe then we can inject comments like these to drivers:

    "Get off the phone and drive!"
    "Pay attention!"
    or my favorite
    "Put down the beer!"
    • Nice!

      Might also be fun to find a bluetooth user with a fish sticker and inject coments like:

      "Satan wants you to go to church"
      "Gospel rock demeans both the gospel and rock"
  • That phone sex is out.
  • MITCH (V.O.) I'm talking to you, Kent. KENT What? MITCH (V.O.) I said I'm talking to you. KENT (shaking his head, violently) No! MITCH (V.O.) Yes. KENT (slapping himself) I'm not asleep. I must be overworked. MITCH (V.O.) You're not overworked, Kent. KENT Well, I'm not insane! Silence. KENT (CONT'D) Am I? INT. CHRIS AND MITCH'S ROOM MITCH That remains to be seen, Kent. But we are having a conversation. INT. KENT'S ROOM KENT I have to metabolize this. Um... who is this? MITCH (V.O.
  • These guys showed this on WhatTheHack - conference in The Netherlands [whatthehack.org] last friday.

    I made some pics of the demo, starting with this one:
    http://geektechnique.org/gallery/wth2005/DSC04384 [geektechnique.org]
    (browse with 'next' through the pics of the demo)

    BTW, WTH was great! ;-)
  • crash .... bang..... lawsuit ...
    against the user and the developer ...

    this is not a toy for corporate america .... but i cannot wait testing it :)

    nah where is the dongle ... and
    #apt-get install libbluetooth1-dev
    hope that's the needed lib :)
    • crash .... bang..... lawsuit ... against the user and the developer ...

      Would you rather using such devices be encouraged? It is called unauthorized eavesdropping and is illegal in most countries.

      this is not a toy for corporate america ...

      Just curious -- you seem to use the word "corporate" as a derogatory term. Would you rather live in a "tribal america"? Or in a "collective farming america"?

      • i would rather live in CENTRAL - America as I do now :)

        on the other hand i use it as a derogatory term as in: "big mean corporations controlling everything"

        hmm a farming america would be nice ... always wanted to be a shephard .... but actually tribal america seems cool too to me ....

        anyway do not take it offensive, I feel like that against corporation controlled (ALL?) governments .

        It is always nice to rebel against something isn't it ?

        cheers
        • I feel like that against corporation controlled (ALL?) governments.
          Corporations are merely the best currently known way to scale human labor. You know -- to do things, smaller groups of people simply can not.

          Once we find a better way, corporations will fade away the same way tribes and slavery did.

          It is always nice to rebel against something isn't it ?
          Not without a (good) cause...
  • Okay, the way this works is basically that they scan for BT headsets and try to pair with them using default keys (like 0000 or 1234 or what have you). Once they make a connection, they can send audio to the thing.

    So, are there any headsets or car units out there that are NOT susceptible to this?

    In order to not be susceptible, you gotta have either :
    a) A non-constant PIN (meaning that it either has to be random every time or semi-unique to that device, like the manufacturer puts a different PIN in each unit

  • Check out the over 1-mile Bluetooth detection page. They got a Bluetooth connection over a mile away.

    They also can run Bluetooth snarfing from a Bluetooth-enabled cell phone.

    Lots of fun Bluetooth stuff there. These guys are brilliant.
  • The Trifinite group showed how hackers could eavesdrop

    I've wondered, for some time, if police would ever employ those "listen to a conversation inside a room by bouncing a laser off of the window" spy gadgets to listen to what the occupants of a car are saying during a traffic stop (or maybe even *before* the cop decides to pull them over) to hear time-saving tidbits like "Vinnie... quick! Hide the dope under the back seat!".

    This bluetooth thing makes it a lot easier. I'm pretty sure that the supre

From Sharp minds come... pointed heads. -- Bryan Sparrowhawk

Working...