Bluetooth use has been a double-edged sword since its widespread adoption over the last few years. Issues with this technology center mostly on the obscurity of its security mechanisms and methods of pairing devices. For the average consumer, Bluetooth security is sufficient to provide an adequate comfort level.
Over the last few years, however, the hacker community has been developing tools to allow for "auditing" of Bluetooth devices. These tools mainly exploited implementation flaws in the Bluetooth protocols, which were easily fixed with a few well-placed patches. Modern Bluetooth hacking has evolved.
The greatest mitigating factor that prevented hackers from busting the Bluetooth protocol was the lack of visibility into the protocol and hardware to follow the Bluetooth devices as they hop from channel to channel.
The cheapest hardware devices, which possessed the capabilities to perform these tasks cost upward of $10,000(USD) and required registration.
This changed recently when Max Moser reverse-engineered the firmware of the expensive sniffer tools to run on consumer-grade Bluetooth devices using the CSR chipset. These cheaper devices permitted hackers full raw access to the wireless medium.
This unrestricted access to the medium allowed hackers to probe deeper into the protocol and perform sophisticated attacks against any Bluetooth-capable device. We are now seeing complex Bluetooth hacking tools becoming available to the public.
Understanding the vulnerabilities of Bluetooth requires a simple knowledge of how the technology works. The most commonly used devices are mobile phones and hands-free headsets.
Most readers will be familiar with how to get these two devices working. Headsets usually come with a default four-digit pin number from factory which cannot be changed. Users then place these headsets in a "discoverable" mode, allowing other Bluetooth devices to see the headset and then "pair" the two devices.
This pairing requires the user to input the default headset pin on the handset (usually something such as "0000" or "1234"). This completes the pairing process, and the user can now use the two devices together.
Once paired, they now operate in a "non-discoverable" mode, which should prevent any non-paired device from seeing them.
Let us now take a look at real-world working techniques that exploit the headset/handset example described previously.
Capturing Initial Pairing Exchanges and Brute Forcing the PIN
This technique requires the hacker to be in close proximity of the two devices while they are being paired. The hacker captures the initial pairing exchange between the two devices using a Bluetooth sniffer.
The PIN can then be brute-forced out of the captured pairing data.
Users are generally safe from this attack because the one-time pairing occurs in safe locations out of reach of sniffers.