Académique Documents
Professionnel Documents
Culture Documents
This paper is the second part of a two part report in which we first gave an
overview of general Bluetooth vulnerabilities and the tools that are used to take
focus on Bluesnarfing and Bluetracking. In this, the second part of the report, we will
attempt to demonstrate at least one Bluetooth vulnerability with a set of software and
Introduction
As mentioned in the first part of this paper, Bluetooth is more and more becoming
an essential part of the technological world in which we live. It is built into a multitude
of devices that we carry every day from cell phones and laptop computers to headsets and
even bracelets. It can have a range of anywhere from 1 meter to 100 meters, and even
these numbers can be expanded upon with a simple antenna attached to a Bluetooth
dongle. In this paper, we demonstrate the actual vulnerabilities that are inherent to
Bluetooth, mainly focusing on packet injection which relies on social attacks in addition
to the vulnerability.
Hypothesis
We believe that we can inject sounds, or packets of information, into a PLT 510
Bluetooth headset, merely by catching it in the middle of a discovery with another sound
device. There are ways to “crack” the device and inject packets without having to catch
it in the middle of a pairing, but for the sake of this experiment, we chose to not use
hacking techniques but rather those that would be more widely used within the outside
world.
Results
Complications
into a number of problems while trying to perform them. The main complication we ran
into was a very small budget for this experiment. In our original brainstorming for the
different Bluetooth nodes to triangulate where a Bluetooth device is locate, but there is
very little software available to do so for less than thousands of dollars. The software we
were provided with was effective with scanning an immediate area for Bluetooth devices,
but had no way to tell an effective distance which the device was from the user. Due to
our student statuses and small budget within our department, other pieces of software
Successful Results
Despite the complications that we ran into, we were able to demonstrate packet
injection into a PLT 510 headset using only the built in Bluetooth ability of a Dell Vostro
1500 laptop. There are a number of utilities on the internet, including a program called
carwhisperer, which allows the user to both record from and send messages to a headset
which it is able to connect to. The process by which this is done is by using the Linux
“hcitools” package and detecting a headset or Bluetooth device that may be in range. In
the case of our PLT 510, the device had to be in pairing mode to detect it successfully.
The problem with this, especially with the PLT 510 headset, is that it beeps in the ear
piece, letting the user know that someone has detected or attempted to connect to the
device. Most users would pass this off and ignore it as an error in the headset or a missed
call which the device didn’t register. This could be classified as a type of social attack
due to the user allowing the device to be paired despite being notified through a
notification beep.
The other vulnerability which allows for the headset to have packets injected into
it is the fact that it has a “0000” pin for association by default. This pin, along with
“1234”, is one of the most common pins with many headsets and devices set to have it as
their default pin as shipped by the manufacturer. The problem with the PLT 510 headset
is that it does not have the ability to change the pin, an essential feature with the overall
The actual procedure of injecting packets or listening to the conversation that the
user is having is actually a very simple one. Code is included to do exactly this in figure
1 of the appendix. While still in discoverable mode and while the user is pairing the
headset with their phone, a laptop computer can be set up within a 10 meter radius, as
defined by the class two range [1]. This could very easily take place in any public area,
such as a park, the airport, a parking lot (though due to the restrictions of Bluetooth, the
victim’s window would have to rolled down), or even a workplace. The laptop then
receives notification that the headset is trying to find a pairing partner. This is by no
special procedure of the laptop. If the laptop is in discoverable range of the headset, it
will be able to pick up the headset automatically with a message that the headset wants to
establish a pairing. A utility for performing a constant polling of local area devices is
be set to use the headset as either the default recording device (Figure 2), playback device
(Figure 1), or both. In the case of this experiment, the headset was used alternately for
both tasks, but never for both at the same time. To inject a packet or sound into the
headset (Figure 1), the laptop sets the headset as the default playback device and uses a
sound player to play whatever sound is desired. In the case of our experiment, we were
able to play the default wav file included with carwhisperer, into the headset while
having a conversation on the headset with another party, without the other party’s
knowledge or ability to hear. This could be potentially dangerous if the attacker was able
to obtain the second party saying something which could be used for a social attack,
mainly because they would be unaware that the first party was hearing that sound file.
To listen to the conversation happening over the headset (Figure 2), the laptop can
be set to use the headset as the default recording device and a sound recording program,
in our case the built in carwhisperer raw file recording command, can be used to capture
the conversation that the user is having. This is also able to be done in a Windows
This conversation could also be used to play back information over the headset,
especially if there are a number of users, for example husband and wife, of the single
headset. With careful observation and planning, this could be used to obtain the last four
digits of a user’s social security number (the primary identification for most billing
services), bank account numbers, credit card numbers, or numeric pins that are spoken
out loud. As mentioned in the first part of the report, this could later be used for
blackmail or other malicious deeds if the victim is then followed or their phonebook and
For the sake of this report, we also chose to track the number of Bluetooth devices
that were found to be discoverable within two three hour periods of time in a classroom
building lounge and an open computing lab at Rochester Institute of Technology. The
tracking was done for an update of a statistic taken in 2002 at a conference in which they
found [2] that within just the 2004 CeBIT conference time period, a total of seven days,
5294 Bluetooth devices were detected as people merely walked by with their phones or
other devices set on discoverable mode. The most frightening detail in the report on the
results is that approximately 70% of all the devices found in the conference experiment
were “Vulnerable again SNARF attacks”, SNARFing being the ability for the attacker to
. In our version of the experiment, every person passing by the scanning station
was counted as part of the scan. This was based on the assumption that within the 30
second polling period, the person’s device, if left in discoverable mode, would be
scanned at least once. We found that out of the 970 people passing by in the classroom
building lounge, only 14 had fully discoverable devices and within the open computing
lab a total of 13 out of 84 had discoverable devices. Both of these figures were hand
counted for the total and counted using BMon, a Bluetooth scanning utility by Center
Media Solutions for the counted number of devices. Both have the ability to be off,
based on the number of computers that were in the open computing lab which may or
may not have had Bluetooth capabilities, and human error in the counting of people
Yagi antenna, attached to a paintball rifle stock. Our initial range tests with the rifle were
not very impressive as the range appeared to be limited to ten feet. A digital multi-meter
later revealed that the cable that connects the Bluetooth USB dongle to the actual antenna
itself was shorting the shield with the center conductor. Therefore, the cable itself
became the antenna and the Yagi antenna wasn’t being utilized. We obtained a
replacement coaxial cable through the Professor supervising our experiments and were
then able to de-solder the existing cable from the USB Bluetooth dongle and then solder
the new cable on. The results were excellent. Our initial ten foot range increased to
about three-hundred feet and illustrated the fact that we could exploit vulnerable devices
from a much farther range. While we were unable to test some of the sniffing ability we
would gain by having a re-flashed CSR Bluetooth dongle, we are quite confident that the
antenna would make these results even more impressive and add extensive range to our
Discussion
As can be seen by the detection statistics in the second part of our results,
manufacturers and users are both becoming smarter as to the vulnerabilities and security
precautions that can be taken to keep their Bluetooth devices safe. Where as a number of
critics may say that leaving a phone in non-discoverable mode may not be enough, with
commercial software that is well within budget of the average person, this has been seen
to be enough. As mentioned in the complications section of our report, for a person who
wants to crack a Bluetooth device not in discoverable mode, or triangulate the position of
a person with a Bluetooth device, their budget would have to be extensive, and certainly
larger than that of four graduate students or a Networking, Security and Systems
Administration department.
In contrast, there has not been enough exposure of headset vulnerabilities and the
issue of having a pairing code of “0000” or “1234”. These two pairing codes are still
extremely popular and therefore pieces of software such as carwhisperer are still very
much able to inject or record packets from such devices. As demonstrated in this paper,
this can be done in a Linux distribution using carwhisperer or can even be done in
Conclusion
number of different techniques to do so. We first used the program carwhisperer to inject
with the vulnerability of a “0000” pairing code. We then demonstrated the ability to use
the “Bluetooth gun” which can extend the range of an average Bluetooth dongle from 10
or 15 feet to approximately 300 feet. Finally, for proof of concept and additional
conclusions, we did a survey of Bluetooth devices within two different areas over a three
Acknowledgements
piece of software which was extremely useful for scanning in our experiments as well as
detecting the devices with the Bluetooth gun. This allowed us to detect Bluetooth
devices without delay as many other pieces of software and software for use with built in
Bluetooth devices do. This software could easily be used with carwhisperer to find the
BDADDR of devices and then inject packets of sound into them without pairing.
Appendix
play.sh:
#!/bin/sh
./carwhisperer 0 $1 results.raw
00:03:89:93:F8:5D 1
play_recording.sh:
#!/bin/sh
sox -t raw -r 8000 -c 1 -s -w ./results.raw -t
wav -r 44100 -c 2 out.wav
Figure 2: Code for recording from headset and converting to a wav format
References
[1] Bialoglowy, Marek. "Bluetooth Security Review, Part 2." Bluetooth Security
<http://www.securityfocus.com/infocus/1836>.
<http://ubicomp.org/ubicomp2004/adjunct/posters/haase.pdf>.