Eavesdropping on Bluetooth Automobiles

This is impressive:

This new toool is called The Car Whisperer and allows people equipped with a Linux Laptop and a directional antenna to inject audio to, and record audio from bypassing cars that have an unconnected Bluetooth handsfree unit running. Since many manufacturers use a standard passkey which often is the only authentication that is needed to connect.

This tool allows to interact with other drivers when traveling or maybe used in order to talk to that pushy Audi driver right behind you ;) . It also allows to eavesdrop conversations in the inside of the car by accessing the microphone.

EDITED TO ADD: Another article.

Posted on August 2, 2005 at 1:41 PM • 32 Comments

Comments

BrettAugust 2, 2005 2:41 PM

But to do anything remotely worthwhile (as a hacker) wouldn't you need to be able to follow the car around. From what I know, bluetooth doesn't have much of a range (even with a directional).

Rob MayfieldAugust 2, 2005 3:38 PM

@brett

Whether you follow the car depends largely on whether you want to eavesdrop while the target vehicle is moving - I can imagine some people would rather eavesdrop while the vehicle is 'parking'. (adds new meaning to 'in car entertainment')

Davi OttenheimerAugust 2, 2005 3:46 PM

@ Chris

That's correct. Experiments that led to the (media friendly) BlueT sniper rifle were able to sniff up to a mile or so away:
http://bluedriving.com/

But I like the point in the article where they recommend using this technique to talk to people following too closely. Imagine an always-on BlueT signal that alerted/interfered with cars near the rear of your vehicle depending on your speed.

Mark El-WakilAugust 2, 2005 4:52 PM

I think another interesting possibility is instead of "podcasting", be able to share music with drivers closeby.

This will of course have limitations based on distance, angle, etc... but cars based in a caravan would be able to benefit from this nicely.

Mark J.August 2, 2005 7:19 PM

I seriously doubt the manufacturers of automobile BT devices are worried. This looks like it would affect maybe one in ten million vehicles. And then only for a few seconds or so. Still, it's a good idea to reset the passkey on all BT devices as a standard practice.

Thomas SprinkmeierAugust 2, 2005 9:46 PM

Evil version of the telephone talking clock:

"At the third beep, 300 yuppies with bluetooth audio and worm-infected laptops will be distracted:
...beep
...beep
... __BEEP__!!!"

Gives a whole new meaning to crashing the system.

jammitAugust 2, 2005 11:30 PM

Darn. I thought at first he was hacking the car. I was hoping I had an easy way of getting that guy in the left lane with his blinker on for the last 20 miles who's doing 30 MPH under the speed limit to get out of my way... If I'm not mistaken, the Onstar installed in some cars is using bluetooth for internal communications (like between the Onstar module and the GPS, air bag deployment sensor, etc). That could be interesting.

Curt SampsonAugust 3, 2005 4:08 AM

You don't need to hack the car if you can hack the driver. "This is your car management system. Your engine is experiencing a critical failure. Please pull over immediately and call for repair."

Ben SmythAugust 3, 2005 4:40 AM

The iTrip does a nice job of sharing music (over FM), unfortunately it also encourages tailgating...

CJAugust 3, 2005 6:35 AM

@Mark:

Sounds like we're heading towards a scenario like that Cory Doctorow's Eastern Standard Tribe - just wait till the DRM kicks in.

EricAugust 3, 2005 7:38 AM

Remember, you can boost a radio signal 30db by using a good directional antenna. And unless my math is off, a 30db boost should increase the range by a factor of 1000.

So if the manufactor says "1 meter", assume you can be sniffed from a kilometer away.

You should never rely on a low signal strength for privacy. It's a fundamentally flawed approach, as the Bluetooth rifles demonstrate. You need good crypto.

DarkFireAugust 3, 2005 8:05 AM

Surely good personal security dictates that oine ought to have the Bluetooth feature turned off as a matter of course, and only turn it on when necessary for use.

Ben SmythAugust 3, 2005 8:14 AM

@DarkFire
This contradicts with usability...
Plus the average Joe probably doesn't know how.

paulAugust 3, 2005 8:47 AM

Didn't manufacturers learn back with the first generation of isdn phone equipment 15 years ago that you really positively need a hard off switch? (And then of course they mostly forget that for cell phones)

ChrisAugust 3, 2005 10:01 AM

Of course, on a cell phone you can allways pull the battery. Is there even any way to deactivate the bluetooth features in these cars?

Bruce SchneierAugust 3, 2005 10:09 AM

"Of course, on a cell phone you can allways pull the battery. Is there even any way to deactivate the bluetooth features in these cars?"

I suppose you can pull the battery.

DaveAugust 3, 2005 10:38 AM

Eric,

Unfortunately, radio follows the inverse square law- square the power to double the range. So while a 30dB boost does increase the signal strength by a factor of 1000, the range would go up by a theoretical maximum of sqrt(1000) ~= 30 times. Real world experiments suggest that for short range low power signals it's more like an inverse cube law (diffraction, scattering, etc. cut down the signal even more).

Charles BalloweAugust 3, 2005 1:12 PM

I live near a major artery in a large city - I.e. frequently traveling very slow during rush hour. If i could get 200 yards out of a device, I could sit on my front porch and probably have a reasonably (minute or 2) period on each driver. I could see this being a fun toy - or just trunk mounted while driving.

ECMpukeAugust 3, 2005 4:19 PM

Dave is correct. Signal strength goes by the inverse square law...so 30 dB means about 30 times in range. (sqrt 1000).
However, folks, an antenna with 30 dB gain has a beamwidth so narrow that
pointing it becomes a serious problem.
There's no free lunch.

ARLAugust 3, 2005 8:45 PM

While the rage of the devices shown may be limited, the exploit has other uses. Think about the GPS trackers put in cars to see where people have been. Adding the technology to snoop the audio and record or retransmit it should not be too hard.

ARLAugust 3, 2005 8:48 PM

Devices to track cars using hidden GPS could now have the additional feature of recording or retransmitting audio from an insecure device.

RogerAugust 3, 2005 9:07 PM

@Dave:
Minor nitpick, but inverse square law means you quadruple the power to double the range (i.e., square the ratios); squaring the power to double the range would be an exponential law. But your example calculation was correct.

@ECMpuke:
"an antenna with 30 dB gain has a beamwidth so narrow that pointing it becomes a serious problem"

Well, certainly the higher the gain, the more accurately it must be pointed, but 30 dB isn't really in the realm of a "serious" problem. The "half power beamwidth" of a 30 dB antenna of typical type, is about 5 degrees, or about a 50 cm spot on the other side of a 6 metre room. Most people can point more accurately than that by hand, and with any sort of tripod mount it's trivial. It's more difficult (especially in elevation) if you can't see the exact location of the target, but we're still only talking a few minutes of fiddling about.

ECMpukeAugust 5, 2005 12:48 PM

Roger,

OK. You go do the pointing.

One millisteradian is
a lot less than one.

It's like searching the world through a soda straw. Try it some time. It's far from trivial.

By the way...that 30-dB aperture at 2.4 GHz is bigger than a Pringles can. It would take a dish about 4 feet in diameter, in fact.

You might find the tripod to hold it a little unwieldy.

https://ewhdbks.mugu.navy.mil/one-way.htm

ECMpukeAugust 5, 2005 4:01 PM

Davi,

Just a radar pro.

It's a commonly-used term, but since radar was developed primarily on the coasts...RadLab, Hughes...), I can see the connection.

There are some clusters around tech centers around Chicago and St Louis, too.

Maybe some escapees from the coasts.

RogerAugust 11, 2005 4:28 AM

(For those who don't know, the steradian is the unit of solid angle. It's defined as the area outlined by projecting the solid angle onto the surface of a unit sphere, or equivalently, the area projected onto any sphere, divided by the square of the sphere's radius. Thus, a full sphere is 4 pi steradians. It is abbreviated sr, or more often msr for millisteradian because a whole sr is quite a lot.)

@ECMPuke:
"You do the pointing".

I have. We often use 35 dBi antennae at work, and pointing just isn't as hard as you seem to think. Even a 40 dBi is (just barely) doable by hand.

"One millisteradian is a lot less than one."

I don't think you finished this sentence, but in any case I'd point out that you only need 12.6 msr (4 pi sr in a sphere, divided by 1000). 12.6 msr is the solid angle subtended by a 3 inch circle at 2 feet, i.e. a baseball held at arms length. It is not a particularly fine angle. (Actually, because the beam doesn't have a sharp cutoff, we normally work with the half power beamwidth -- I'm sure you know that, just for other readers -- which is a bit more restrictive; it calculates to about 6 msr in this case.)

"It's like searching the world through a soda straw. Try it some time. It's far from trivial."

Well no, it isn't like searching through a soda straw. The analogy is wrong two ways, first because in "bluesniping" type applications most of the time you would be "searching" with the Mk I eyeball and only using the 30 dB beam for "target acquistion". That's more like pointing the straw at something and then seeing if you can see the target through the straw, a task which in fact is trivial (try it).

Secondly a straw is much tighter than what is required here. A typical soda straw (about 8 in by 0.2 in) gives a solid angle of 0.45 msr. That's an order of magnitude tighter than this requirement. To get a 12.6 msr (30 dB) beam, an 8 in straw would need a diameter of an inch.

Having said that, to "keep myself honest", I did just try some "searching the world through a soda straw" (the same one). Forming a fist around the straw so I couldn't peek around it, I spun myself around on my chair with my eyes closed, opened one eye to look through the straw, then timed myself to find a certain spot of light on the wall (a spot much smaller than 12 msr). By nodding the straw up and down while slowly rotating, I found it in 11 seconds. Not quite trivial, but not very challenging, either. (Yes, it helps quite a bit that I knew it was roughly in the horizontal plane, but that's usually the case for non-aerial targets.)

"By the way...that 30-dB aperture at 2.4 GHz is bigger than a Pringles can. It would take a dish about 4 feet in diameter, in fact."

Ah, good point, well made. Nasty unwieldy 12 cm waves 8^) (We mainly use Ku band at work!)

"You might find the tripod to hold it a little unwieldy."

Well, if we only want good gain and don't care about suppressing sidelobes, you can go with a grid parabola. By no means hand held but practicable to tripod mount; the lightest commercially available 24 dBi one that I have seen was 2 kg, presumably a 30 dBi one would be about 8 kg.

KweevDecember 1, 2008 8:30 AM

Someone has to set up a tiny gumstix box with a solar panel and rechargeable battery with this software autoscanning (recording/injecting funny audio). Add a USB 3G broadband modem for web updates. Just hide it on top of a set of traffic lights at 3am at a slow junction, listen to the web updates every day!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..