Injecting Audio Into Insecure Bluetooth Handsets

vandon writes "Linux hackers have demonstrated a way to inject or record audio signals from passing cars running insecure Bluetooth hands-free units. The Trifinite group showed how hackers could eavesdrop on passing motorists using a directional antenna and a Linux Laptop running a tool it has developed called Car Whisperer."

Device must be in paring mode

[timgoh0]

From what i understand of the article, your bluetooth device must be explicitly set to the pairing/discoverable mode. This is not on by default

On my Jabra BT800 headset, i have to push a recessed button to bring the device to this mode. After the headset is paired, it is no longer discoverable, nor does it accept parings from other devices.

Re:Device must be in paring mode

[tengwar]

Well I'm wondering if it ever does work. As timgoh0 says, you have to put the device into pairing mode. I work in telecoms, and I've never seen a BT handsfree that didn't have to be expressly put into pairing mode. Since BT is supported by a small number of bought-in chips, it seems unlikely that even a Crapposan Mk13 would differ from this behaviour. Secondly, pairing is what it says - it joins a pair of devices. Normally a BT handsfree will only support one handset at a time, and the cheap ones will only hold one profile (expensive ones may hold profiles for up to three phones, but only one active at a time). This leads me to doubt that it could be used to pick up a phone conversation.

Anyway, I'll be interested to hear whether anyone gets it working - don't have the time to try it myself.

Cordless Telephones

[Kiaser+Wilhelm+II]

I used to do this with cordless telephones (the kind that plugs into your landline).. they ran unencrypted on 43-46Mhz and 900Mhz bands for years.

Lets just say I got to know my neighbors very well.

(If you have a cordless phone and are wondering if its secure.. make sure it has "spread spectrum" technology)

Re:Cordless Telephones

[Kiaser+Wilhelm+II]

Yes, however there are no consumer "spread spectrum" scanning devices on the market, ensuring that only a talented engineer can go to the trouble to build a receiver just to listen to your praticular model of cordless phone.

Re:cool but also meh

[POPE+Mad+Mitch]

This is not a weakness in the protocol or the crypto used. Its about manufacturers cutting corners.

This works on devices which do not need to be put into a special mode to be paired, and which are using a fixed same-for-every-unit pairing password.

this software just requests a pairing with every handsfree device it sees, and tries the standard password. If the device had bothered to need physical confirmation for pairing (like any decent headset) or used a random printed-on-the-box password then this wouldnt be happening.

this also isnt about just listening in on other peoples phone conversations, its about listening to ANY conversation, as once you have paired with the device, if it is for example an in car hands free device, you can turn on the microphone and listen to anything said in the car cabin.

Give the mod the benefit of the doubt

[WidescreenFreak]

The parent is indeed 100% on-topic; however, I will give the mod who knocked it with "offtopic" the benefit of the doubt that he is from outside of the U.S. Let's face it. What would someone in the U.K. or Australia really know about a Verizon Wireless series of adverts that are run in the U.S.?

For those who don't understand, Verizon Wireless (as in mobile/cellular phone, not WiFi network) has been running a series of commercials where in order to test the strength of Verizon's signals a Verizon technician will go into the most bizarre locations and say "Can you hear me now? Good!" The idea is that no matter where he goes, he can get a clear signal and can be heard by whoever is on the other end.

Hence why the parent post is actually 100% on-topic and funny.

(Now watch this post get hit with offtopic instead of Informative. No good deed goes unpunished on Slashdot.)

Pics of the demo on WhatTheHack last friday

[mistermark]

These guys showed this on WhatTheHack - conference in The Netherlands last friday.

I made some pics of the demo, starting with this one:
http://geektechnique.org/gallery/wth2005/DSC04384
(browse with 'next' through the pics of the demo)

BTW, WTH was great! ;-)

Re:Acura TL

[Not_Wiggins]

The Acura TL (at least, the 2005 model) has a security feature that disables Bluetooth until you want it enabled by speaking the 4 digit code at car start-up. Most drivers have it turned off because it is a pain to enable it everytime you start the car... but if you're that paranoid about someone hacking the bluetooth on your car when you're *not* using it, this feature is easily disabled. Check the HandsFreeLink section of your owners manual.

Re:List of which kits are susceptable

[Technician]

Now I guess we'll all just have to wait until we're hacked to find out if we bought the right one.

Finish reading the article.. Does you device allow you to enter your own passkey? Does your device allow you to reject connection attempts? If your device has no user interface, then it probably is vunerable.