Slashdot Mirror

← Back to Stories (view on slashdot.org)

Injecting Audio Into Insecure Bluetooth Handsets

Posted by CmdrTaco on from the thats-just-scary-stuff dept.

vandon writes "Linux hackers have demonstrated a way to inject or record audio signals from passing cars running insecure Bluetooth hands-free units. The Trifinite group showed how hackers could eavesdrop on passing motorists using a directional antenna and a Linux Laptop running a tool it has developed called Car Whisperer."

28 of 222 comments (clear)

  1. "Can you hear me now?" by flatface · · Score: 4, Funny

    "Yes we all can."

  2. Oh noes! They could illegally by Weaps · · Score: 2, Funny
    Record music! And these unsuspecting drivers could run afoul of the RIAA while the pirates who illegally recorded the Intellectual Property would get away scot free!

    Madness I tells ya!

  3. I can see it now by up2ng · · Score: 2, Funny

    Standing on a overpass speaking to a passing car, "Hey you! Look out for that tree" or "Kent, This is God, Stop Touching That !"

    Childhood stuff never gets old

    --
    Success is not the result of spontaneous combustion, you must set yourself on fire.
  4. Solution: Encryption by Zweideutig · · Score: 2, Insightful

    Have proper encryption between hand set and the transmitter/receiver. This may make hand sets more expensive, as a small computer in both the headset and the transmitter/receiver unit would be required, but it should eliminate this problem.

    --
    Powered by caffeine and sugar; BSD
    1. Re:Solution: Encryption by karnal · · Score: 4, Funny

      Disclaimer: I work for soft-core crypto company ;-)

      So does that mean you work for the "Spice Channel" of the Crypto industry??? :)

      --
      Karnal
  5. Simple Fix by mekkab · · Score: 2, Funny

    make Linux illegal.

    Whats the problem? I expect a bill to be passed in the next year.

    --
    In the future, I would want to not be isolated from my friends in the Space Station.
  6. Re:Top secret info by stecoop · · Score: 2, Interesting

    Zero.

    Your title Top Secret info, then anyone that has that kind of clearance know that you cant talk on an unsecured line in an unsecured environment. If you mean getting caught talking nasty to your intern on a cell phone then all bets are off.

  7. List of which kits are susceptable by Se7enLC · · Score: 5, Insightful

    Thank you to the fine people of trifinite.org for not listing off which handsfree devices they found to be secure and which they found to be insecure. Now I guess we'll all just have to wait until we're hacked to find out if we bought the right one.

    These guys seem to be pretending to be doing it for the good of the industry, but their site seems to list a lot of Bluetooth Hacks & Attacks. And they didn't seem to have made any effort to contact vendors to get the problem corrected, either.

    1. Re:List of which kits are susceptable by Technician · · Score: 5, Informative

      Now I guess we'll all just have to wait until we're hacked to find out if we bought the right one.

      Finish reading the article.. Does you device allow you to enter your own passkey? Does your device allow you to reject connection attempts? If your device has no user interface, then it probably is vunerable.

      --
      The truth shall set you free!
    2. Re:List of which kits are susceptable by ezzzD55J · · Score: 3, Interesting
      These guys seem to be pretending to be doing it for the good of the industry, but their site seems to list a lot of Bluetooth Hacks & Attacks. And they didn't seem to have made any effort to contact vendors to get the problem corrected, either.

      Don't be too tough on them. I saw their demo at WhatTheHack last weekend. After the session I asked which brand to buy for security, and the reply was that Nokia had done a good job of making up for their mess. Also their story at the time was that they test a lot of bluetooth stuff for the industry, working with the industry to find holes before phones go to market (not quite sure of the timing, but I am sure that they cooperate).

  8. Acura TL by dcarey · · Score: 2, Funny

    I've got an Acura TL. Bluetooth in it of course. So how does one secure a built-in bluetooth system? Take it to my dealer for a virus scan? Drive around a local university trolling for pseudohackers? Bust into the OS, whatever it's running, and slap some Linux distro on it (well the car won't run in that case, but hey, it's a certainly a functional $35,000 Linux Box!)

    --

    -- (Score:i , Imaginary)

    1. Re:Acura TL by PriceIke · · Score: 2, Funny

      Cop: "Do you have any idea how fast you were going?"

      You: "About 2.5GHz."

      --
      It's not a lie. It's the truth with lossy compression.
    2. Re:Acura TL by Not_Wiggins · · Score: 2, Informative

      The Acura TL (at least, the 2005 model) has a security feature that disables Bluetooth until you want it enabled by speaking the 4 digit code at car start-up. Most drivers have it turned off because it is a pain to enable it everytime you start the car... but if you're that paranoid about someone hacking the bluetooth on your car when you're *not* using it, this feature is easily disabled. Check the HandsFreeLink section of your owners manual.

      --
      Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
  9. Like we want to hear by blueZ3 · · Score: 2, Funny

    some yuppie soccer mom discussing her kid's brilliant school career with grandma.

    Count me out on the "evesdropping on car phone conversations," thanks. :o)

    --
    Interested in a Flash-based MAME front end? Visit mame.danzbb.com
  10. butt set by vinn · · Score: 2, Funny

    When it comes to eavesdropping, I prefer my method of butt sets on 66 blocks. It doesn't require as much thought.

    --
    ----- obSig
  11. Device must be in paring mode by timgoh0 · · Score: 2, Informative

    From what i understand of the article, your bluetooth device must be explicitly set to the pairing/discoverable mode. This is not on by default

    On my Jabra BT800 headset, i have to push a recessed button to bring the device to this mode. After the headset is paired, it is no longer discoverable, nor does it accept parings from other devices.

    1. Re:Device must be in paring mode by GodGell · · Score: 2, Interesting

      i have a jabra bt200 and will do some experiments with it someday.
      anyway. yesterday as i was sitting on a bus on the way home from drumming school, i disconnected my phone from the bt200 so that i can do a scan for other devices and i found another phone (named "Hayat", no idea what that stands for). i tried to connect to it loads of times with passkey 0000, and most of the time it just said bluetooth connection error. once though it was passkey mismatch, so i guess the phone asked the guy the passkey. when i changed my phone's name to "passkey_is_0000" just to see what happens, the unknown phone disappeared. see, there's a new form of wardriving - warwalking - with bluetooth! :D
      the whole thing took about 16 minutes, and all that time my bt200 was on my ear in search mode. yet nothing happened.

      --
      [SHOW SOME LENIENCY TOWARDS ... I mean, FUCK BETA] Eat. Survive. Reproduce. GOTO 10
    2. Re:Device must be in paring mode by tengwar · · Score: 2, Informative
      Well I'm wondering if it ever does work. As timgoh0 says, you have to put the device into pairing mode. I work in telecoms, and I've never seen a BT handsfree that didn't have to be expressly put into pairing mode. Since BT is supported by a small number of bought-in chips, it seems unlikely that even a Crapposan Mk13 would differ from this behaviour. Secondly, pairing is what it says - it joins a pair of devices. Normally a BT handsfree will only support one handset at a time, and the cheap ones will only hold one profile (expensive ones may hold profiles for up to three phones, but only one active at a time). This leads me to doubt that it could be used to pick up a phone conversation.

      Anyway, I'll be interested to hear whether anyone gets it working - don't have the time to try it myself.

  12. Cordless Telephones by Kiaser+Wilhelm+II · · Score: 2, Informative

    I used to do this with cordless telephones (the kind that plugs into your landline).. they ran unencrypted on 43-46Mhz and 900Mhz bands for years.

    Lets just say I got to know my neighbors very well.

    (If you have a cordless phone and are wondering if its secure.. make sure it has "spread spectrum" technology)

    --
    Lord High Crapflooder The Right Honourable Vlad Craig Esther McDavenpherson III
    Destroyer of Mercatur.Net
    1. Re:Cordless Telephones by Kiaser+Wilhelm+II · · Score: 2, Informative

      Yes, however there are no consumer "spread spectrum" scanning devices on the market, ensuring that only a talented engineer can go to the trouble to build a receiver just to listen to your praticular model of cordless phone.

      --
      Lord High Crapflooder The Right Honourable Vlad Craig Esther McDavenpherson III
      Destroyer of Mercatur.Net
  13. Re:cool but also meh by tomstdenis · · Score: 2, Insightful

    I dunno about all.

    My understanding of Bluetooth is that it CAN be used properly just as implemented it isn't.

    If you're security cautious you'd use a normal usb or ps/2 keyboard.

    Tom

    --
    Someday, I'll have a real sig.
  14. Why is it just for cars? by Kainaw · · Score: 3, Funny

    I would like this if it is was more than just cars. I'd like to sit outside WalMart and force audio into all the idiots walking around with their bluetooth cell phone earbuds permanently stuck in their ear.

    --
    The previous comment is purposely vague and generalized, but all of the facts are completely true.
  15. Re:cool but also meh by POPE+Mad+Mitch · · Score: 4, Informative

    This is not a weakness in the protocol or the crypto used. Its about manufacturers cutting corners.

    This works on devices which do not need to be put into a special mode to be paired, and which are using a fixed same-for-every-unit pairing password.

    this software just requests a pairing with every handsfree device it sees, and tries the standard password. If the device had bothered to need physical confirmation for pairing (like any decent headset) or used a random printed-on-the-box password then this wouldnt be happening.

    this also isnt about just listening in on other peoples phone conversations, its about listening to ANY conversation, as once you have paired with the device, if it is for example an in car hands free device, you can turn on the microphone and listen to anything said in the car cabin.

  16. Broadcast Ping by woodsrunner · · Score: 2, Interesting

    That would be fun! I am sure WalMart would like that power to direct their shoppers to the latest thing they are trying to flog.

    I have always wanted a way to do a broadcast ping of all the local cellphones to get them all to ring at once. I bet theatres would like a device that could do this in order to get patrons to turn off their ringers before shows start.

  17. Re:Top secret info by Doc+Ruby · · Score: 4, Insightful

    Yes, of course everyone with Top Secret clearance is absolutely discreet with the info they handle.

    Everyone knows that "government employee" == "perfectly competent".

    --

    --
    make install -not war

  18. Give the mod the benefit of the doubt by WidescreenFreak · · Score: 4, Informative

    The parent is indeed 100% on-topic; however, I will give the mod who knocked it with "offtopic" the benefit of the doubt that he is from outside of the U.S. Let's face it. What would someone in the U.K. or Australia really know about a Verizon Wireless series of adverts that are run in the U.S.?

    For those who don't understand, Verizon Wireless (as in mobile/cellular phone, not WiFi network) has been running a series of commercials where in order to test the strength of Verizon's signals a Verizon technician will go into the most bizarre locations and say "Can you hear me now? Good!" The idea is that no matter where he goes, he can get a clear signal and can be heard by whoever is on the other end.

    Hence why the parent post is actually 100% on-topic and funny.

    (Now watch this post get hit with offtopic instead of Informative. No good deed goes unpunished on Slashdot.)

    --
    The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
  19. Good by wickedj · · Score: 2, Funny

    Maybe then we can inject comments like these to drivers:

    "Get off the phone and drive!"
    "Pay attention!"
    or my favorite
    "Put down the beer!"

  20. Pics of the demo on WhatTheHack last friday by mistermark · · Score: 2, Informative

    These guys showed this on WhatTheHack - conference in The Netherlands last friday.

    I made some pics of the demo, starting with this one:
    http://geektechnique.org/gallery/wth2005/DSC04384
    (browse with 'next' through the pics of the demo)

    BTW, WTH was great! ;-)