A SECURITY flaw could allow hackers to eavesdrop on cellphone conversations made on Bluetooth-based wireless headsets, it was revealed this week.
All that is needed to exploit the flaw is a piece of equipment called a 鈥淏luetooth sniffer鈥, according to @Stake, the London-based security company that discovered it. The 拢3,000 device, which is normally used for testing, is a plug-in module for PCs that locks onto the Bluetooth signal.
When two devices begin to communicate via Bluetooth, they perform a 鈥渂onding鈥 process by swapping identity information. It is during this authentication that the system is vulnerable, @Stake鈥檚 Ollie Whitehouse says.
Advertisement
Connecting the phone and headset involves keying the PIN supplied with the headset into the cellphone. If the PIN is correct, the bonding process can begin. Whitehouse has discovered that by intercepting the radio signals communicated during this process the PIN can be identified. After that, it is relatively simple to use a Bluetooth link to listen in on conversations or access the phone and steal contact information and call logs. This would be invaluable to private investigators, tabloid newspapers and industrial spies. 鈥淚t鈥檚 not trivial, but someone who is technically competent can engineer the software to do it,鈥 Whitehouse says.
Bluetooth is a wireless standard that allows gadgets up to 10 metres apart to communicate with each other using a short-range microwave radio signal. It allows PCs to link to printers, for instance, and a cellphone to communicate with a headset.
Each time the phone and headset are switched on, the phone sends the headset a long random number, which Bluetooth software in each device combines with the PIN to create a 鈥渓ink key鈥. The two devices exchange this link key to confirm they have the same PIN 鈥 but without the PIN being sent between the two.
Whitehouse told the CanSec West security conference in Vancouver, Canada, that he has discovered how to work out the PIN. He monitors the broadcast random number and the link keys, which is simple because the software routine used to generate the link key is published by the Bluetooth Special Interest Group, the consortium that developed the system. It is then possible to 鈥渞everse engineer鈥 the PIN.
However, the hack only works if the PIN is short and comprises numbers only, not text.
Unfortunately most headset PINs 鈥 even when users set their own 鈥 are typically only four to six digits long. Whitehouse says he has yet to find a cellphone model that allows people to use both letters and numbers in a PIN. A four-digit PIN would typically take Whitehouse鈥檚 software 0.1 seconds to crack, whereas an eight-digit PIN would take 20 minutes, and 10 digits 36 hours.
To protect themselves, Whitehouse suggests users choose long PINs and mobile makers should allow alphanumeric ones on future cellphones.
The cellphone industry acknowledges the risk. 鈥淭he operation of Bluetooth on a handset carries with it inherent risks,鈥 admits Jack Wraith of the Mobile Industry Crime Action Forum in the UK.
A spokesman for the Bluetooth SIG promised to investigate @Stake鈥檚 findings and says it 鈥渨ill respond to any security issues with haste鈥.