Bluetooth was just a buzzword a few years ago, but now it is a feature that many look for in their next cell phone or gadget. New wireless gadgets make our life easier, yet with the growing number of Bluetooth devices, are we ignoring or just unaware of the security risks associated with these devices?

Issues with this technology center mostly on the obscurity of its security mechanisms and methods of pairing devices.

Over the last few years, the hacker community has been developing tools to allow for "auditing" of Bluetooth devices. The greatest mitigating factor that prevented hackers from busting the Bluetooth protocol was the lack of visibility into the protocol and hardware to follow the Bluetooth devices as they hop from channel to channel.

The cheapest hardware devices, which possessed the capabilities to perform these tasks cost upward of $10,000(USD) and required registration.

This changed when Max Moser reverse-engineered the firmware of the expensive sniffer tools to run on consumer-grade Bluetooth devices. These cheaper devices permitted hackers full raw access to the wireless medium.

This unrestricted access to the medium allowed hackers to probe deeper into the protocol and perform sophisticated attacks against any Bluetooth-capable device. We are now seeing complex Bluetooth hacking tools becoming available to the public.

Understanding the vulnerabilities of Bluetooth requires a simple knowledge of how the technology works. The most commonly used devices are mobile phones and hands-free headsets.

Most readers will be familiar with how to get these two devices working. Headsets usually come with a default four-digit pin number from factory which cannot be changed. Users then place these headsets in a "discoverable" mode, allowing other Bluetooth devices to see the headset and then "pair" the two devices.

This pairing requires the user to input the default headset pin on the handset (usually something such as "0000" or "1234"). This completes the pairing process, and the user can now use the two devices together.

Once paired, they now operate in a "non-discoverable" mode, which should prevent any non-paired device from seeing them.

However, if a hacker is in close proximity when two devices are being paired, he/she can use a technique known as Capturing Initial Pairing Exchanges and Brute Forcing the PIN to exploit the pairing process.

This technique requires the hacker to be in close proximity of the two devices while they are being paired so he/she can capture the initial pairing exchange between the two devices using a Bluetooth sniffer. The PIN can then be brute-forced out of the captured pairing data.

However, for the average consumer, Bluetooth security is sufficient to provide an adequate comfort level. Users are generally safe from this attack if the one-time pairing occurs in safe locations out of reach of sniffers.

- -
Summarised by the WOUGNET TechSupport from an article by Nico Darrow. The full article is here.