Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Car Whisperer

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Car Whisperer
Date: 7 Aug 2005 17:28:21 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Car Whisperer
------------------------------------------------------------------------


SUMMARY

The carwhisperer project intends to educates manufacturers of carkits and 
other Bluetooth appliances to the possibility of a security threat caused 
by the use of standard passkeys.

DETAILS

A Bluetooth passkey is used within the pairing process that takes place, 
when two Bluetooth enabled devices connect for the first time. Besides 
other public data, the passkey is a secret parameter used in the process 
that generates and exchanges the so-called link key. In Bluetooth 
communication scenarios the link key is used for authentication and 
encryption of the information that is exchanged between the counterparts 
of the communication.

The cw_scanner script repeatedly performs a device inquiry for visible 
Bluetooth devices of which the class matches the one of Bluetooth Headsets 
and Hands-Free Units. Once a visible Bluetooth device is found and it has 
the appropriate device class is found, the cw_scanner script executes the 
carwhisperer binary that connects to the found device (on RFCOMM channel 
1) and opens a control connection and connects the SCO links.

The carwhiperer binary connects to the device found by the cw_scanner. The 
passkey that is required for the initial connection to the device is 
provided by the cw_pin.pl script that replaces the official Bluez PIN 
helper (graphical application that usually prompts for the passkey). The 
cw_pin.pl script provides the passkey depending on the Bluetooth address 
that requests it. Depending on the first three bytes of the address, which 
references the manufacturer, different passkeys are returned by the 
cw_pin.sh script. In quite a few cases the preset standard passkey on 
headsets and handsfree units is '0000' or '1234'.

Once the connection has been successfully established, the carwhisperer 
binary starts sending audio to, and recording audio from the headset. This 
allows attackers to inject audio data into the car. This could be fake 
traffic announcements or nice words. Attackers are also able to eavesdrop 
conversations among people sitting in the car.

Ideally, the carwhisperer is used with a toooned dongle and a directional 
antenna that enhances the range of a Bluetooth radio quite a bit. (see 
Long-Distance-Snarf experiment)

Recommendations:
In order to avoid getting attacked by carwhisperer, manufacturers should 
not use standard passkeys in their Bluetooth appliances. Moreover, there 
should be some kind of direct interaction with the device that allows a 
device to connect. Another recommendation would be to switch the handsfree 
unit to invisible mode, when no authorized device connects to it within a 
certain time.

Not all Bluetooth carkits are subject to this threat. There is quite a few 
Bluetooth carkits that use random passkeys that are generated for every 
individual device during the production process. Carkits that are 
integrated with a full infotainment system could use (and sometimes 
already do use) the infotainment system's UI for acquiring a passkey from 
the user.

Proof of Concept:
A proof of concept can be found at:  
<http://trifinite.org/Downloads/carwhisperer-0.1.tar.gz> 
http://trifinite.org/Downloads/carwhisperer-0.1.tar.gz


ADDITIONAL INFORMATION

The information has been provided by  <mailto:juha-matti.laurio@netti.fi> 
Juha-Matti Laurio .
The review was written by  <mailto:martin@trifinite.org> Martin Herfurt.
The original article can be found at:  
<http://trifinite.org/trifinite_stuff_carwhisperer.html> 
http://trifinite.org/trifinite_stuff_carwhisperer.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Car Whisperer, SecuriTeam <=
Previous by Date:  [NT] Acunetix HTTP Sniffer DoS, SecuriTeam
Next by Date:  [NT] CA BrightStor ARCserve Backup Agent For MS SQL Server Buffer Overflow, SecuriTeam
Previous by Thread:  [NT] Acunetix HTTP Sniffer DoS, SecuriTeam
Next by Thread:  [NT] CA BrightStor ARCserve Backup Agent For MS SQL Server Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]