Hijacking Bluetooth Headset

December 11, 2012, by | Start Discussion

[Note: This demonstration is based on article “Bluetooth Reconnaissance – Watching over Invisible and Cloning Bluetooth Device”. Please go through it before moving forward]

Well for this demonstration, we are using following devices and tools:

  • Bluetooth Headset
  • External Bluetooth Dongle
  • Laptop with BackTrack 5 R3

In this section we will see how to remotely inject audio in Bluetooth headset and also record the audio from it.

First we will make our Bluetooth device up and running.
->    #hciconfig hci0 up

If you observe clearly hci0 settings, it is “Miscellaneous” type device, which is not compatible with Bluetooth headsets.

So with this setting it will not be possible to establish connection with Bluetooth Devices.

So here we need to change its class to audio/video device type which can work with Bluetooth headset.
->    #hciconfig hci0 class 0x200404

Now if we observe the settings of hci0 interface, it’s changed to device type info “Device conforms to the Headset Profile”.

Here notice that BD_ADDR of hci0 interface is 00:07:AB:FF:CF:87

Now we will create folder with this BD_ADDR in /var/lib/Bluetooth directory.

Then in this BD_ADDR folder we will create text file named “pincodes” in which we will assign 0000 pincode for Bluetooth headset on which we are going to inject audio.

Here we made scan for finding BD_ADDR of our Bluetooth headset victim. And we got 12:01:07:00:01:E7 Bluetooth Headset.

So now we are with all required setup. It’s time to play with our little Bluetooth headset victim.Here we go…

For this attack we will use the tool “carwhisperer”.

Download url: http://trifinite.org/Downloads/carwhisperer-0.2.tar.gz

And now

#./carwhisperer<interface><injecting audio file><Output file><victim BD_ADDR>

Game Over!

Here we successfully injected our own message in headset. And the output will be stored in out.raw file.
For injecting audio we require the .raw format files. SOX is nice tool for audio conversions. We can convert audio wave files into raw and vice versa.

To perform this attack more smoothly and from a long distance you can buy very long-range Bluetooth dongle. Like AIRcable

Author bio not avialable

Leave a Reply