A SECURITY flaw could allow hackers to eavesdrop on cellphone conversations made on Bluetooth-based wireless headsets, it was revealed this week.
All that is needed to exploit the flaw is a piece of equipment called a “Bluetooth sniffer”, according to @Stake, the London-based security company that discovered it. The £3,000 device, which is normally used for testing, is a plug-in module for PCs that locks onto the Bluetooth signal.
When two devices begin to communicate via Bluetooth, they perform a “bonding” process by swapping identity information. It is during this authentication that the system is vulnerable, @Stake’s Ollie Whitehouse says.
Advertisement
Connecting the phone and headset involves keying the PIN supplied with the headset into the cellphone. If the PIN is correct, the bonding process can begin. Whitehouse has discovered that by intercepting the radio signals communicated during this process the PIN can be identified. After that, it is relatively simple to use a Bluetooth link to listen in on conversations or access the phone and steal contact information and call logs. This would be invaluable to private investigators, tabloid newspapers and industrial spies. “It’s not trivial, but someone who is technically competent can engineer the software to do it,” Whitehouse says.
Bluetooth is a wireless standard that allows gadgets up to 10 metres apart to communicate with each other using a short-range microwave radio signal. It allows PCs to link to printers, for instance, and a cellphone to communicate with a headset.
Each time the phone and headset are switched on, the phone sends the headset a long random number, which Bluetooth software in each device combines with the PIN to create a “link key”. The two devices exchange this link key to confirm they have the same PIN – but without the PIN being sent between the two.
Whitehouse told the CanSec West security conference in Vancouver, Canada, that he has discovered how to work out the PIN. He monitors the broadcast random number and the link keys, which is simple because the software routine used to generate the link key is published by the Bluetooth Special Interest Group, the consortium that developed the system. It is then possible to “reverse engineer” the PIN.
However, the hack only works if the PIN is short and comprises numbers only, not text.
Unfortunately most headset PINs – even when users set their own – are typically only four to six digits long. Whitehouse says he has yet to find a cellphone model that allows people to use both letters and numbers in a PIN. A four-digit PIN would typically take Whitehouse’s software 0.1 seconds to crack, whereas an eight-digit PIN would take 20 minutes, and 10 digits 36 hours.
To protect themselves, Whitehouse suggests users choose long PINs and mobile makers should allow alphanumeric ones on future cellphones.
The cellphone industry acknowledges the risk. “The operation of Bluetooth on a handset carries with it inherent risks,” admits Jack Wraith of the Mobile Industry Crime Action Forum in the UK.
A spokesman for the Bluetooth SIG promised to investigate @Stake’s findings and says it “will respond to any security issues with haste”.