exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Dec 15, 2005
Authored by Kevin Finisterre | Site digitalmunition.com

The Widcomm BTW suffers from a remote audio eavesdropping issue.

tags | advisory, remote
SHA-256 | 866ef0aaf005e2d1e28227c8b6a9b0360290e3611a675df0bb6706bd1d5e5344


Change Mirror Download
DMA[2005-1214a] - 'Widcomm BTW - Bluetooth for Windows Remote Audio Eavesdropping'
Author: Kevin Finisterre
Vendor: http://www.widcomm.com, http://www.broadcom.com/products/Bluetooth/
Product: 'versions <= BTW ?'
References: http://www.digitalmunition.com/DMA[2005-1214a].txt

When my Bluetooth fetish first began one of the first things I attempted to exploit
was the Widcomm Audio Gateway and Headset profiles. My early attempts involved trying
to connect to a remote headset profile in order to use sndrec32 to record from
the microphone (using the Sounds and Audio Devices control panel applet
to set the Sound recording Default device to 'Bluetooth Audio'). For the longest time
I could not understand why pressing the record button on sndrec32 returned nothing
but an empty .wav file. Despite multiple attempts to record from the microphone on a
target system, I was unable to capture any audio.

Over this past weekend I purchased a GoldLantern Supertalk Wireless Hands Free Kit
for use in testing Car Whisperer [1]. After successfully playing an assortment of
converted .wav files over GoldLantern device with Car Whisperer, I decided it would
be nice to be able to do something similar in the win32 world.

After some experimentation with the SkypeHeadset plugin [2] it became clear to me
why simply setting my default recording device to 'Bluetooth Audio' had no effect;
before attempting to read from the microphone it is necessary to send a 'RING'
message to the headset profile! In theory, running the carwhisperer binary against
a Windows machine running the Widcomm stack should result in a remote eavesdropping

The reason that my previous attempts at exploiting the Widcomm Audio Gateway and
Headset profile failed was more apparant now. While traditional hands free kits use
channel 1 and a specific device class, the Widcomm drivers use channel 7 and a
device class os 0x72010c:

kfinisterre01:/home/kfinisterre$ tar xzf carwhisperer-0.1.tar.gz
kfinisterre01:/home/kfinisterre$ cd carwhisperer-0.1
kfinisterre01:/home/kfinisterre/carwhisperer-0.1$ grep hcitool . -r
./cw_scanner: open HCITOOL , "hcitool -i hci0 inq --flush | grep 0x200 |";

The cw_scanner script that comes with Car Whisperer uses the BlueZ [3] hcitool
utility to run an inquiry against the device, returning only lines that match the
string "0x200", corresponding to the Hands Free Audio Gateway and Headset profile.
Querying the Widcomm Audio Gateway profile indicates a different device class:

kfinisterre01:/home/kfinisterre$ hcitool inq
Inquiring ...
00:0A:3A:54:71:95 clock offset: 0x3dec class: 0x72010c

As you can see above, the cw_scanner script would ignore my laptop because of the
device class used for the Audio Gateway profile. A quick sdptool search reveals
that my device has a valid Headset Profile waiting to be exploited:

kfinisterre01:/home/kfinisterre/carwhisperer-0.1$ sdptool search HS
Inquiring ...
Searching for HS on 00:0A:3A:54:71:95 ...
Service Name: Headset
Service RecHandle: 0x10009
Service Class ID List:
"Headset" (0x1108)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Further analysis indicates that both my Belkin Bluetooth Software 1.4.2 Build 10
and my ANYCOM Blue USB-130-250 Software have the following registry keys:

HKLM\SOFTWARE\Widcomm\BTConfig\Services\008\ (HeadSet)
HKLM\SOFTWARE\Widcomm\BTConfig\Services\009\ (Audio Gateway)

Both keys have an Authentication and Authorization value set to 0x00000000 by
default. This setting allows anyone to remotely inject audio into a victim's PC
speakers, as well as remotely monitor audio via the microphone.

Had Martin Herfurt not written Car Whisperer this attack most likely would not have
materialized. Using Martins tool is the simplest way to demonstrate this
vulnerability against the Widcomm Bluetooth Stack. However, minor modifications to the
Car Whisperer code were necessary to eliminiate an issue with random static by issuing
the AT command: "AT+CASR=0", as well as some additional debugging messages for clarity.
The example below demonstrates the use of Car Whisperer against the Widcomm Audio
Gateway profile:

animosity:/home/kfinisterre/carwhisperer-0.1-verbose# ./carwhisperer 0
samples/message.raw aa 00:0B:0D:63:0B:CC 7
Voice setting: 0x0060
RFCOMM channel connected
SCO audio channel connected (handle 44, mtu 64)
RING buffer: AT+VGS=15
looping buffer: AT+CKPD=200

At this point the remote machine is playing the sample message distributed with Car
Whisperer (message.raw) while recording any audio present on the victim's microphone
to a local audio file on the attacker's machine.

Obviously, if the target computer is equiped with a microphone signifigant, privacy
issues could arise due to this vulnerability. It is trivial for an attacker to make
a target system with the exposed Widcomm Audio Gateway profile to play any audio he
desires, without having to supply a PIN or any other authentication credentials first.

Also note that injection of audio is an optional task; covert microphone monitoring
is also possible without having to notify the victim by playing an audio file.

Option 1: Remove Bluetooth dongle. =]

Option 2: This vulnerability can be mitigated by requiring authentication for the
Headset Audio Gateway profile:

- Right click on the Bluetooth icon in your systray
- Select "Advanced Configuration"
- Click "Local Services"
- Highlight the Headset profile and click properties
- Enable the the check box next to Secure Connection to require a PIN
when connecting to this profiile.

Repeat these steps for the Audio Gateway profile as well.

Option 3: Contact the vendor of your Bluetooth dongle for updated software from
Widcomm. Unfortunately, due to licensing requirements in place between
Broadcom/Widcomm and Bluetooth dongle vendors, it is not currently possible
to upgrade faulty driver code without purchasing a new dongle. Only through
complaining about this business practice can we attempt to motivate change at
Broadcom to provide security fixes to customers at no cost.

Despite multiple calls to Broadcom engineering to report this vulnerability, I was
unable to identify anyone who would talk to me regarding security failures in the
Widcomm drivers. "We do not do tech support" seemed to be the Broadcom mantra from
multiple individuals who I spoke to regarding this particular Bluetooth vulnerability.
Beyond my own attempts at disclosure it is very likely that this issue was also
reported to Widcomm by Pentest Limited[4] when the original batch of issues was found.

An extra special thanks goes to "that dude" in the Vigilar CISSP bootcamp that my boy
ri0t took. You my friend were the inspiration for this article... "I use that Widcomm
Bluetooth Software. It's pretty secure... I don't think that it has alot of problems".

Unauthorized whispering kicks ass!

[1] Car Whisperer, http://trifinite.org/trifinite_stuff_carwhisperer.html
[2] SkypeHeadset, http://www.skypeheadset.co.uk/
[3] BlueZ, http://www.bluez.org/
[4] The original Widcomm Pimps, http://www.pentest.co.uk/
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By