I’ve been spending more time evaluating Bluetooth technology lately, and have put together a YouTube video demonstrating an attack against a Bluetooth headset.

Recent advances in SDR technology including Dominic Spill’s paper “BlueSniff: Eve Meets Alice and Bluetooth” have made it possible to identify the Bluetooth device address for non-discoverable devices like headsets.  Unlike early attempts to discover undiscoverable Bluetooth devices such as RedFang, BlueSniff reveals 3 or 4 bytes of the address within seconds by passively capturing an active Bluetooth connection.  The remaining 3 of 2 bytes of the Bluetooth address can be determined by testing each of the common Bluetooth OUI’s, using the results of the BNAP, BNAP project.

Once the Bluetooth device address is known, an attacker can connect to the headset as if he were a legitimate phone, authenticating with a fixed PIN of “0000”.  Even when not configured in discoverable mode, my JawBone headset will respond to these unsolicited connection requests, allowing an attacker to pair with it and record any audio within range of the headset microphone.  The attacker can also inject arbitrary audio through the headset device as well, which could get interesting when applied with finesse.

For this attack, I used the BlueSniff tools with my USRP SDR, a modified version of BTScanner to perform the scanning to determine the unknown bytes of the Bluetooth device address, and the CarWhisperer tool to record and inject audio.  I’ll be demonstrating this attack live at the SANS NS2007 conference in Las Vegas next week.  Comments are most welcome.

Special thanks to The NickDe for his help as my camera man, and “victim” in this video.