DMA[2005-1214a] - 'Widcomm BTW - Bluetooth for Windows Remote Audio Eavesdropping' Author: Kevin Finisterre Vendor: http://www.widcomm.com, http://www.broadcom.com/products/Bluetooth/ Product: 'versions <= BTW 4.0.1.1500 ?' References: http://www.digitalmunition.com/DMA[2005-1214a].txt Description: When my Bluetooth fetish first began one of the first things I attempted to exploit was the Widcomm Audio Gateway and Headset profiles. My early attempts involved trying to connect to a remote headset profile in order to use sndrec32 to record from the microphone (using the Sounds and Audio Devices control panel applet to set the Sound recording Default device to 'Bluetooth Audio'). For the longest time I could not understand why pressing the record button on sndrec32 returned nothing but an empty .wav file. Despite multiple attempts to record from the microphone on a target system, I was unable to capture any audio. Over this past weekend I purchased a GoldLantern Supertalk Wireless Hands Free Kit for use in testing Car Whisperer [1]. After successfully playing an assortment of converted .wav files over GoldLantern device with Car Whisperer, I decided it would be nice to be able to do something similar in the win32 world. After some experimentation with the SkypeHeadset plugin [2] it became clear to me why simply setting my default recording device to 'Bluetooth Audio' had no effect; before attempting to read from the microphone it is necessary to send a 'RING' message to the headset profile! In theory, running the carwhisperer binary against a Windows machine running the Widcomm stack should result in a remote eavesdropping attack. The reason that my previous attempts at exploiting the Widcomm Audio Gateway and Headset profile failed was more apparant now. While traditional hands free kits use channel 1 and a specific device class, the Widcomm drivers use channel 7 and a device class os 0x72010c: kfinisterre01:/home/kfinisterre$ tar xzf carwhisperer-0.1.tar.gz kfinisterre01:/home/kfinisterre$ cd carwhisperer-0.1 kfinisterre01:/home/kfinisterre/carwhisperer-0.1$ grep hcitool . -r ./cw_scanner: open HCITOOL , "hcitool -i hci0 inq --flush | grep 0x200 |"; The cw_scanner script that comes with Car Whisperer uses the BlueZ [3] hcitool utility to run an inquiry against the device, returning only lines that match the string "0x200", corresponding to the Hands Free Audio Gateway and Headset profile. Querying the Widcomm Audio Gateway profile indicates a different device class: kfinisterre01:/home/kfinisterre$ hcitool inq Inquiring ... 00:0A:3A:54:71:95 clock offset: 0x3dec class: 0x72010c As you can see above, the cw_scanner script would ignore my laptop because of the device class used for the Audio Gateway profile. A quick sdptool search reveals that my device has a valid Headset Profile waiting to be exploited: kfinisterre01:/home/kfinisterre/carwhisperer-0.1$ sdptool search HS Inquiring ... Searching for HS on 00:0A:3A:54:71:95 ... Service Name: Headset Service RecHandle: 0x10009 Service Class ID List: "Headset" (0x1108) "Generic Audio" (0x1203) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 7 Language Base Attr List: code_ISO639: 0x656e encoding: 0x6a base_offset: 0x100 Profile Descriptor List: "Headset" (0x1108) Version: 0x0100 Further analysis indicates that both my Belkin Bluetooth Software 1.4.2 Build 10 and my ANYCOM Blue USB-130-250 Software 4.0.1.1500 have the following registry keys: HKLM\SOFTWARE\Widcomm\BTConfig\Services\008\ (HeadSet) HKLM\SOFTWARE\Widcomm\BTConfig\Services\009\ (Audio Gateway) Both keys have an Authentication and Authorization value set to 0x00000000 by default. This setting allows anyone to remotely inject audio into a victim's PC speakers, as well as remotely monitor audio via the microphone. Had Martin Herfurt not written Car Whisperer this attack most likely would not have materialized. Using Martins tool is the simplest way to demonstrate this vulnerability against the Widcomm Bluetooth Stack. However, minor modifications to the Car Whisperer code were necessary to eliminiate an issue with random static by issuing the AT command: "AT+CASR=0", as well as some additional debugging messages for clarity. The example below demonstrates the use of Car Whisperer against the Widcomm Audio Gateway profile: animosity:/home/kfinisterre/carwhisperer-0.1-verbose# ./carwhisperer 0 samples/message.raw aa 00:0B:0D:63:0B:CC 7 Voice setting: 0x0060 RFCOMM channel connected SCO audio channel connected (handle 44, mtu 64) Sleeping RING buffer: AT+VGS=15 looping buffer: AT+CKPD=200 At this point the remote machine is playing the sample message distributed with Car Whisperer (message.raw) while recording any audio present on the victim's microphone to a local audio file on the attacker's machine. Obviously, if the target computer is equiped with a microphone signifigant, privacy issues could arise due to this vulnerability. It is trivial for an attacker to make a target system with the exposed Widcomm Audio Gateway profile to play any audio he desires, without having to supply a PIN or any other authentication credentials first. Also note that injection of audio is an optional task; covert microphone monitoring is also possible without having to notify the victim by playing an audio file. Workaround(s): Option 1: Remove Bluetooth dongle. =] Option 2: This vulnerability can be mitigated by requiring authentication for the Headset Audio Gateway profile: - Right click on the Bluetooth icon in your systray - Select "Advanced Configuration" - Click "Local Services" - Highlight the Headset profile and click properties - Enable the the check box next to Secure Connection to require a PIN when connecting to this profiile. Repeat these steps for the Audio Gateway profile as well. Option 3: Contact the vendor of your Bluetooth dongle for updated software from Widcomm. Unfortunately, due to licensing requirements in place between Broadcom/Widcomm and Bluetooth dongle vendors, it is not currently possible to upgrade faulty driver code without purchasing a new dongle. Only through complaining about this business practice can we attempt to motivate change at Broadcom to provide security fixes to customers at no cost. Disclosure: Despite multiple calls to Broadcom engineering to report this vulnerability, I was unable to identify anyone who would talk to me regarding security failures in the Widcomm drivers. "We do not do tech support" seemed to be the Broadcom mantra from multiple individuals who I spoke to regarding this particular Bluetooth vulnerability. Beyond my own attempts at disclosure it is very likely that this issue was also reported to Widcomm by Pentest Limited[4] when the original batch of issues was found. An extra special thanks goes to "that dude" in the Vigilar CISSP bootcamp that my boy ri0t took. You my friend were the inspiration for this article... "I use that Widcomm Bluetooth Software. It's pretty secure... I don't think that it has alot of problems". Unauthorized whispering kicks ass! [1] Car Whisperer, http://trifinite.org/trifinite_stuff_carwhisperer.html [2] SkypeHeadset, http://www.skypeheadset.co.uk/ [3] BlueZ, http://www.bluez.org/ [4] The original Widcomm Pimps, http://www.pentest.co.uk/