Truth 26 Identity thieves can hear you now…

Not all identity theft starts and ends with stealing your social security number (SSN). In fact, sometimes that is the last thing an identity thief needs. When it comes to stealing your identity, a thief really just need to know a little information about you and can then use that to gather even more. Recently, I was asked to test the security of a company that wanted to find out if a confidential database it maintained was at risk. Little did I know that this assignment would end with me exploiting Bluetooth technology in an attempt to breach this company’s security.

Bluetooth technology is used in wireless communication for short distances. Most people recognize Bluetooth technology as the little devices that people hook to their ear that allow them to wirelessly answer their cell phones and carry on conversations. Most often, you notice these people because they are talking way too loudly, and generally it looks at first as though they are talking to themselves. There are a number of Bluetooth devices available that can tie into your cell phone. Models range from small portable devices that hook into your ear to devices that allow you to speak hands-free while driving.

For this job, I started by following an employee of the organization I was hired to test. While following this employee, I saw that he carpooled with another companion each day and that he had a Bluetooth device plugged into his cigarette lighter. Since coworkers generally do discuss business when together, especially during a commute to work, I thought chances were good that if I could manage to tap into the Bluetooth device in my mark’s car, I might get the information I needed to break into his employer’s database.

Joe, one of the engineers who I work with, wrote some code that could communicate with Bluetooth devices. However, as we started to test the code, we found that some devices require the user to manually put them into pairing mode, which then allows other devices to be able to “see” them and make a connection. Some devices also require a PIN to be submitted, which provides an additional level of security. This was obviously not what I was looking for. But just when I started to think that I might not be able to listen in through the device, Joe made a huge discovery.

It turned out that many of the devices that are made for placement in a car actually remain in pairing mode at all times. Also, these devices have a default PIN that can’t be changed. In other words, there was a chance that I might be able to connect to that Bluetooth device after all.

After some research, I learned that most auto manufacturers had secured their devices by 2007, but that more than half of the devices available today are actually vulnerable to this type of attack.

So I studied pictures of all the devices and later peeked inside my target’s car and discovered that the device he used was vulnerable to this kind of attack. The next day, I sat in a nearby parking lot with my Bluetooth-equipped laptop and a modified antenna. As my victim started his car, the Bluetooth device turned on, and my computer connected to the victim’s Bluetooth device.

Sure enough, I was able to listen to everything being said in the car (not just what was said on the phone). I followed them home, attempting to stay as close as possible. The range was no more than one or two car lengths, and I lost the connection if another car was between me and the car I was tailing. I followed them for the next several days, recording all their conversations. It was clear they were completely unaware that I was listening in.

Unfortunately, while I recorded some interesting conversations, the confidential information I was required to gather never came up, and I turned my attention to other means of attack.

So why have I shared all this with you if it turned out to be a complete bust? While I was unsuccessful in obtaining the information I needed to complete the job I was hired to perform, I found that I actually could have easily gone after the individuals in the car. On one occasion, the passenger was talking on the phone purchasing flowers. During the call, he gave his name, address, and credit card information. While this was dumb luck that I happened to be recording this information at that time, it still proved that if a thief is persistent, he can harvest confidential information by monitoring your Bluetooth phone.

Because there is no fix for the devices that are vulnerable to this type of attack, I can only give advice on how to avoid vulnerable Bluetooth devices.

When purchasing a hands-free Bluetooth device, make sure that the device requires you to press a button before it goes into pairing mode. Generally, the higher-priced models require that you press a button to enter pairing mode, but this wasn’t the case with every device I studied. Make sure the device you buy requires that you manually engage pairing mode to use it with your cell phone.

If you already have a device that remains in constant pairing mode, my only suggestion is to leave it turned off until you need to make a call. Since most devices allow only one connection at a time, this gives you additional security. When the call is complete, make sure to turn the device off.

Some devices allow you to change their configuration to disable automatic pairing. Check your user’s manual, and if possible, disable the automatic pairing feature.

In the early 2000s, some automobiles came with Bluetooth built in and are also vulnerable to this type of attack. If your automobile has automatic pairing enabled, contact your dealer to see if it can supply a fix.

Not sure if your device supports auto pairing? Turn the device on and then, using a friend’s cell phone, attempt to connect via Bluetooth to the device. If your friend can connect without your needing to press any buttons on the device, your device is at risk.