Wireless Vulnerabilities & Exploits
Wireless Vulnerabilities & Exploits
WVE ID: WVE-2005-0001
Type: Exploit
Status: Candidate
Classification:
Authentication Management
Hijacking
Description:
Car Whisperer is a tool that can be used to eavesdrop on and broadcast audio to a Bluetooth headset or hands-free device. It accomplishes this by relying on the well-known and static nature of the PIN codes that these types of devices use.
Discussion:
The Car Whisperer tool consists of three programs. The cw_scanner script is used to discover Bluetooth devices within range that have either a headset or hands-free profile. Once a device is discovered, the script invokes the carwhisperer binary which then opens a RFCOMM connection on channel 1 to the device.
It then establishes a syncrhonous connection to be used to send and receive audio from the remote device. This allows the attacker to broadcast audio to the device and covertly receive audio from its microphone.
To provide the numerical PIN needed to complete the connection, the carwhisperer binary invokes the cw_pin.pl script using the OUI of the remote device's BD address. This allows the script to easily identify the manufacturer of the device and then determine what PIN is commonly used by the manufacturer for such devices. It's ability to do this relies on the common manufacturing procedure of hard-coding in non-unique PIN codes into devices that do not have a method for inputting a user specified PIN.
Once the correct PIN has been determined, then the connection is established and the carwhisperer binary begins to send audio to the remote device while recording the audio it receives from it.
Credits
Author:
Martin
Herfurt
(martin@trifinite.org)
: trifinite.org
References
URL:
http://trifinite.org/trifinite_stuff_carwhisperer.html
Released: 2005-07-31
Submitter
Andrew
Lockhart
(alockhart@networkchemistry.com)
: Network Chemistry
Submitted: Mon Oct 24 09:53:28 -0700 2005
Candidate Date: Thu Oct 06 13:59:22 -0700 2005
