Bluetooth Vulnerabilities: A Demonstration Based Report By Patrick Lloyd, Ryan Steinmetz, Matt Taber and Ben Walter
Abstract This paper is the second part of a two part report in which we first gave an overview of general Bluetooth vulnerabilities and the tools that are used to take advantage of these vulnerabilities. We covered many different methods with a main focus on Bluesnarfing and Bluetracking. In this, the second part of the report, we will attempt to demonstrate at least one Bluetooth vulnerability with a set of software and hardware provided to us from a number of sources. Introduction As mentioned in the first part of this paper, Bluetooth is more and more becoming an essential part of the technological world in which we live. It is built into a multitude of devices that we carry every day from cell phones and laptop computers to headsets and even bracelets. It can have a range of anywhere from 1 meter to 100 meters, and even these numbers can be expanded upon with a simple antenna attached to a Bluetooth dongle. In this paper, we demonstrate the actual vulnerabilities that are inherent to Bluetooth, mainly focusing on packet injection which relies on social attacks in addition to the vulnerability. Hypothesis We believe that we can inject sounds, or packets of information, into a PLT 510 Bluetooth headset, merely by catching it in the middle of a discovery with another sound device. There are ways to “crack” the device and inject packets without having to catch it in the middle of a pairing, but for the sake of this experiment, we chose to not use
hacking techniques but rather those that would be more widely used within the outside world. Results Complications We originally planned to cover a multitude of demonstrations in this paper but ran into a number of problems while trying to perform them. The main complication we ran into was a very small budget for this experiment. In our original brainstorming for the experiment we wanted to include a demonstration of Bluetracking, the ability to use three different Bluetooth nodes to triangulate where a Bluetooth device is locate, but there is very little software available to do so for less than thousands of dollars. The software we were provided with was effective with scanning an immediate area for Bluetooth devices, but had no way to tell an effective distance which the device was from the user. Due to our student statuses and small budget within our department, other pieces of software were far out of our reach. Successful Results Despite the complications that we ran into, we were able to demonstrate packet injection into a PLT 510 headset using only the built in Bluetooth ability of a Dell Vostro 1500 laptop. There are a number of utilities on the internet, including a program called carwhisperer, which allows the user to both record from and send messages to a headset which it is able to connect to. The process by which this is done is by using the Linux “hcitools” package and detecting a headset or Bluetooth device that may be in range. In the case of our PLT 510, the device had to be in pairing mode to detect it successfully. The problem with this, especially with the PLT 510 headset, is that it beeps in the ear
piece, letting the user know that someone has detected or attempted to connect to the device. Most users would pass this off and ignore it as an error in the headset or a missed call which the device didn’t register. This could be classified as a type of social attack due to the user allowing the device to be paired despite being notified through a notification beep. The other vulnerability which allows for the headset to have packets injected into it is the fact that it has a “0000” pin for association by default. This pin, along with “1234”, is one of the most common pins with many headsets and devices set to have it as their default pin as shipped by the manufacturer. The problem with the PLT 510 headset is that it does not have the ability to change the pin, an essential feature with the overall popularity of the two pins. The actual procedure of injecting packets or listening to the conversation that the user is having is actually a very simple one. Code is included to do exactly this in figure 1 of the appendix. While still in discoverable mode and while the user is pairing the headset with their phone, a laptop computer can be set up within a 10 meter radius, as defined by the class two range [1]. This could very easily take place in any public area, such as a park, the airport, a parking lot (though due to the restrictions of Bluetooth, the victim’s window would have to rolled down), or even a workplace. The laptop then receives notification that the headset is trying to find a pairing partner. This is by no special procedure of the laptop. If the laptop is in discoverable range of the headset, it will be able to pick up the headset automatically with a message that the headset wants to establish a pairing. A utility for performing a constant polling of local area devices is discussed later in the paper.
Once the laptop is paired with the headset, the audio properties of the laptop can be set to use the headset as either the default recording device (Figure 2), playback device (Figure 1), or both. In the case of this experiment, the headset was used alternately for both tasks, but never for both at the same time. To inject a packet or sound into the headset (Figure 1), the laptop sets the headset as the default playback device and uses a sound player to play whatever sound is desired. In the case of our experiment, we were able to play the default wav file included with carwhisperer, into the headset while having a conversation on the headset with another party, without the other party’s knowledge or ability to hear. This could be potentially dangerous if the attacker was able to obtain the second party saying something which could be used for a social attack, mainly because they would be unaware that the first party was hearing that sound file. To listen to the conversation happening over the headset (Figure 2), the laptop can be set to use the headset as the default recording device and a sound recording program, in our case the built in carwhisperer raw file recording command, can be used to capture the conversation that the user is having. This is also able to be done in a Windows environment by using Windows’ Sound Recorder. This conversation could also be used to play back information over the headset, especially if there are a number of users, for example husband and wife, of the single headset. With careful observation and planning, this could be used to obtain the last four digits of a user’s social security number (the primary identification for most billing services), bank account numbers, credit card numbers, or numeric pins that are spoken out loud. As mentioned in the first part of the report, this could later be used for
blackmail or other malicious deeds if the victim is then followed or their phonebook and calendar obtained and compared to the conversation. For the sake of this report, we also chose to track the number of Bluetooth devices that were found to be discoverable within two three hour periods of time in a classroom building lounge and an open computing lab at Rochester Institute of Technology. The tracking was done for an update of a statistic taken in 2002 at a conference in which they found [2] that within just the 2004 CeBIT conference time period, a total of seven days, 5294 Bluetooth devices were detected as people merely walked by with their phones or other devices set on discoverable mode. The most frightening detail in the report on the results is that approximately 70% of all the devices found in the conference experiment were “Vulnerable again SNARF attacks”, SNARFing being the ability for the attacker to steal a victim’s phone numbers and calendar information. . In our version of the experiment, every person passing by the scanning station was counted as part of the scan. This was based on the assumption that within the 30 second polling period, the person’s device, if left in discoverable mode, would be scanned at least once. We found that out of the 970 people passing by in the classroom building lounge, only 14 had fully discoverable devices and within the open computing lab a total of 13 out of 84 had discoverable devices. Both of these figures were hand counted for the total and counted using BMon, a Bluetooth scanning utility by Center Media Solutions for the counted number of devices. Both have the ability to be off, based on the number of computers that were in the open computing lab which may or may not have had Bluetooth capabilities, and human error in the counting of people walking by while sitting in the classroom building lounge.
Finally, as proof of concept, we decided to test out the “Bluetooth gun” a basic Yagi antenna, attached to a paintball rifle stock. Our initial range tests with the rifle were not very impressive as the range appeared to be limited to ten feet. A digital multi-meter later revealed that the cable that connects the Bluetooth USB dongle to the actual antenna itself was shorting the shield with the center conductor. Therefore, the cable itself became the antenna and the Yagi antenna wasn’t being utilized. We obtained a replacement coaxial cable through the Professor supervising our experiments and were then able to de-solder the existing cable from the USB Bluetooth dongle and then solder the new cable on. The results were excellent. Our initial ten foot range increased to about three-hundred feet and illustrated the fact that we could exploit vulnerable devices from a much farther range. While we were unable to test some of the sniffing ability we would gain by having a re-flashed CSR Bluetooth dongle, we are quite confident that the antenna would make these results even more impressive and add extensive range to our packet injecting abilities. Discussion As can be seen by the detection statistics in the second part of our results, manufacturers and users are both becoming smarter as to the vulnerabilities and security precautions that can be taken to keep their Bluetooth devices safe. Where as a number of critics may say that leaving a phone in non-discoverable mode may not be enough, with commercial software that is well within budget of the average person, this has been seen to be enough. As mentioned in the complications section of our report, for a person who wants to crack a Bluetooth device not in discoverable mode, or triangulate the position of a person with a Bluetooth device, their budget would have to be extensive, and certainly
larger than that of four graduate students or a Networking, Security and Systems Administration department. In contrast, there has not been enough exposure of headset vulnerabilities and the issue of having a pairing code of “0000” or “1234”. These two pairing codes are still extremely popular and therefore pieces of software such as carwhisperer are still very much able to inject or record packets from such devices. As demonstrated in this paper, this can be done in a Linux distribution using carwhisperer or can even be done in Windows with the built in sound recorder. Conclusion This paper has been our demonstration of Bluetooth vulnerabilities utilizing a number of different techniques to do so. We first used the program carwhisperer to inject packets or sounds into a PLT 510 headset to demonstrate ability to do so on a headset with the vulnerability of a “0000” pairing code. We then demonstrated the ability to use the “Bluetooth gun” which can extend the range of an average Bluetooth dongle from 10 or 15 feet to approximately 300 feet. Finally, for proof of concept and additional conclusions, we did a survey of Bluetooth devices within two different areas over a three hour period each. Acknowledgements We thank Centermediasolutions.net for providing us with their software, BMon, a piece of software which was extremely useful for scanning in our experiments as well as detecting the devices with the Bluetooth gun. This allowed us to detect Bluetooth devices without delay as many other pieces of software and software for use with built in
Bluetooth devices do. This software could easily be used with carwhisperer to find the BDADDR of devices and then inject packets of sound into them without pairing. Appendix
play.sh: #!/bin/sh ./carwhisperer 0 $1 results.raw 00:03:89:93:F8:5D 1
Figure 1: Code for insertion of sound packets into the headset play_recording.sh: #!/bin/sh sox -t raw -r 8000 -c 1 -s -w ./results.raw -t wav -r 44100 -c 2 out.wav
Figure 2: Code for recording from headset and converting to a wav format References [1] Bialoglowy, Marek. "Bluetooth Security Review, Part 2." Bluetooth Security Review, Part 2. 26 May 2005. Security Focus. 16 Sept. 2008 . [2] Haase, Marc, and Matthias Handy. "BlueTrack – Imperceptible Tracking of Bluetooth Devices." Haase.pdf. University of Rostock. 16 Sept. 2008 .