Car Whisperer
The carwhisperer project intends to sensibilise manufacturers
of carkits and other Bluetooth appliances without display and keyboard
for the possible
security threat evolving from the use of standard passkeys.
A Bluetooth passkey is used within the pairing process that takes
place, when
two Bluetooth enabled devices connect for the first time. Besides
other public
data, the passkey is a secret parameter used in the process that
generates and
exchanges the so-called link key. In Bluetooth communication scenarios
the link
key is used for authentication and encryption of the information
that is
exchanged between the counterparts of the communication.
The cw_scanner
script is repeatedly performing a device inquiry for visible
Bluetooth devices of which the class matches the one of Bluetooth
Headsets
and Hands-Free Units. Once a visible Bluetooth device with the
appropriate
device class is found, the cw_scanner script executes the carwhisperer
binary
that connects to the found device (on RFCOMM channel 1) and opens
a control
connection and connects the SCO links.
The carwhiperer binary connects to the device found by the cw_scanner.
The passkey that is required for the initial connection to the
device is provided
by the cw_pin.pl script that replaces the official Bluez PIN helper
(graphical
application that usually prompts for the passkey). The cw_pin.pl
script
provides the passkey depending on the Bluetooth address that requests
it.
Depending on the first three bytes of the address, which references
the
manufacturer, different passkeys are returned by the cw_pin.sh
script. In
quite a few cases the preset standard passkey on headsets and handsfree
units
is '0000' or '1234'.
Once the connection has been successfully established, the carwhisperer
binary
starts sending audio to, and recording audio from the headset.
This allows attackers to inject audio data into the car. This could
be fake
traffic announcements or nice words. Attackers are also able to
eavesdrop
conversations among people sitting in the car.
Ideally, the carwhisperer is used with a toooned dongle
and
a directional
antenna that enhances the range of a Bluetooth radio quite a bit.
(see Long-Distance-Snarf
experiment)
Recommendations
In order to avoid getting attacked by carwhisperer, manufacturers
should not
use standard passkeys in their Bluetooth appliances. Moreover,
there should be
some kind of direct interaction with the device that allows a device
to connect.
Another recommendation would be to switch the handsfree unit to
invisible mode,
when no authorized device connects to it within a certain time.
Not all Bluetooth carkits are subject to this threat. There is
quite a few
Bluetooth carkits that use random passkeys that are generated for
every
individual device during the production process. Carkits that are
integrated
with a full infotainment system could use (and sometimes already
do use) the
infotainment system's UI for acquiring a passkey from the user.
Downloads
Please use this Proof-of-Concept application responsible !
People Involved
For questions about the Car Whisperer application, feel free to ask Martin
Herfurt.
|