Home > Articles > Home & Office Computing > Entertainment/Gaming/Gadgets

Bluetooth Security Risks in Business

📄 Contents

  1. Capturing Initial Pairing Exchanges and Brute Forcing the PIN
  2. Forcing Paired Devices to Rekey
  3. Eavesdropping on Bluetooth Headsets
  • Print
  • + Share This
Bluetooth was just a buzzword a few years ago, but now it is a feature that many look for in their next cell phone or gadget. We all welcome new wireless gadgets that make our life easier, from wireless hands-free devices to wireless keyboards. Yet with the growing number of Bluetooth devices in the corporate environment, are we ignoring or just unaware of the security risks associated with these devices? Nico Darrow tells you how to keep yourself safe from the hackers.
Like this article? We recommend

Bluetooth use has been a double-edged sword since its widespread adoption over the last few years. Issues with this technology center mostly on the obscurity of its security mechanisms and methods of pairing devices. For the average consumer, Bluetooth security is sufficient to provide an adequate comfort level.

Over the last few years, however, the hacker community has been developing tools to allow for "auditing" of Bluetooth devices. These tools mainly exploited implementation flaws in the Bluetooth protocols, which were easily fixed with a few well-placed patches. Modern Bluetooth hacking has evolved.

The greatest mitigating factor that prevented hackers from busting the Bluetooth protocol was the lack of visibility into the protocol and hardware to follow the Bluetooth devices as they hop from channel to channel.

The cheapest hardware devices, which possessed the capabilities to perform these tasks cost upward of $10,000(USD) and required registration.

This changed recently when Max Moser reverse-engineered the firmware of the expensive sniffer tools to run on consumer-grade Bluetooth devices using the CSR chipset. These cheaper devices permitted hackers full raw access to the wireless medium.

This unrestricted access to the medium allowed hackers to probe deeper into the protocol and perform sophisticated attacks against any Bluetooth-capable device. We are now seeing complex Bluetooth hacking tools becoming available to the public.

Understanding the vulnerabilities of Bluetooth requires a simple knowledge of how the technology works. The most commonly used devices are mobile phones and hands-free headsets.

Most readers will be familiar with how to get these two devices working. Headsets usually come with a default four-digit pin number from factory which cannot be changed. Users then place these headsets in a "discoverable" mode, allowing other Bluetooth devices to see the headset and then "pair" the two devices.

This pairing requires the user to input the default headset pin on the handset (usually something such as "0000" or "1234"). This completes the pairing process, and the user can now use the two devices together.

Once paired, they now operate in a "non-discoverable" mode, which should prevent any non-paired device from seeing them.

Let us now take a look at real-world working techniques that exploit the headset/handset example described previously.

Capturing Initial Pairing Exchanges and Brute Forcing the PIN

This technique requires the hacker to be in close proximity of the two devices while they are being paired. The hacker captures the initial pairing exchange between the two devices using a Bluetooth sniffer.

The PIN can then be brute-forced out of the captured pairing data.

Users are generally safe from this attack because the one-time pairing occurs in safe locations out of reach of sniffers.

  • + Share This
  • 🔖 Save To Your Account