The carwhisperer project intends to sensibilise manufacturers
of carkits and other Bluetooth appliances without display and keyboard
for the possible
security threat evolving from the use of standard passkeys.
A Bluetooth passkey is used within the pairing process that takes
two Bluetooth enabled devices connect for the first time. Besides
data, the passkey is a secret parameter used in the process that
exchanges the so-called link key. In Bluetooth communication scenarios
key is used for authentication and encryption of the information
exchanged between the counterparts of the communication.
script is repeatedly performing a device inquiry for visible
Bluetooth devices of which the class matches the one of Bluetooth
and Hands-Free Units. Once a visible Bluetooth device with the
device class is found, the cw_scanner script executes the carwhisperer
that connects to the found device (on RFCOMM channel 1) and opens
connection and connects the SCO links.
The carwhiperer binary connects to the device found by the cw_scanner.
The passkey that is required for the initial connection to the
device is provided
by the cw_pin.pl script that replaces the official Bluez PIN helper
application that usually prompts for the passkey). The cw_pin.pl
provides the passkey depending on the Bluetooth address that requests
Depending on the first three bytes of the address, which references
manufacturer, different passkeys are returned by the cw_pin.sh
quite a few cases the preset standard passkey on headsets and handsfree
is '0000' or '1234'.
Once the connection has been successfully established, the carwhisperer
starts sending audio to, and recording audio from the headset.
This allows attackers to inject audio data into the car. This could
traffic announcements or nice words. Attackers are also able to
conversations among people sitting in the car.
Ideally, the carwhisperer is used with a toooned dongle
antenna that enhances the range of a Bluetooth radio quite a bit.
In order to avoid getting attacked by carwhisperer, manufacturers
use standard passkeys in their Bluetooth appliances. Moreover,
there should be
some kind of direct interaction with the device that allows a device
Another recommendation would be to switch the handsfree unit to
when no authorized device connects to it within a certain time.
Not all Bluetooth carkits are subject to this threat. There is
quite a few
Bluetooth carkits that use random passkeys that are generated for
individual device during the production process. Carkits that are
with a full infotainment system could use (and sometimes already
do use) the
infotainment system's UI for acquiring a passkey from the user.
Please use this Proof-of-Concept application responsible !
For questions about the Car Whisperer application, feel free to ask Martin