- Capturing Initial Pairing Exchanges and Brute Forcing the PIN
- Forcing Paired Devices to Rekey
- Eavesdropping on Bluetooth Headsets
Forcing Paired Devices to Rekey
This is by far the newest and most dangerous attack available in the hacker arsenal. This technique involves spoofing the address of one of the paired devices and notifying the other paired device to rekey.
Not only will this rekey allow the hacker to gain access to the PIN but also to the Linkkey. The Linkkey is way more important than the PIN because it will allow the hacker to perform data decryption, remote connections, and connections without the device being in pairing mode or discoverable mode. This can be done without the user noticing anything.
- Hacker reconstructs BD_ADDR of both Master and Slave through passive or active means.
- Hacker spoofs his BD_ADDR to match that of the Slave device.
- Hacker asks to pair with the Master device, indicating that it has no key. That forces the Master to dump the old pairing data and request a new Linkkey from the genuine Slave device.
- Hacker now captures the key exchange taking place between the two genuine devices as they try to re-establish a connection.
- Using tools such as BTCrack, the hacker can now compromise the Master and Slave devices through usage of the cracked Linkkey and has the ability to decrypt data between the two devices.
Other Attack Examples
- Bluetooth Keylogger: Captures keystrokes from Bluetooth keyboards.
- GPS Hacking: Hijacks Bluetooth GPS modules by injecting fake information to the Master device.
- Contact List/Email Stealing: One of the older attack scenarios; allows hackers to strip victims’ mobile phones of all their contact information, access text messages, and search through victims’ e-mail.
- Internet Connections: Hacking smart phones and enabling their use as modems for data connections.