Bluetooth Session Hijacking

Summary

Excerpt From Bluetooth Vulnerabilities (Part 1) Webinar
Find out more about Bluetooth Session Hijacking Presented by CTO, Dr. Brett Walkenhorst
Attackers employ complex strategies to jam peripheral devices, which leads to a timeout and connection loss on the central device, giving the attacker access to take control of it. The term “window widening,” is a Bluetooth protocol feature that an attacker could use to control one side of a connection. Discover more about the use of tools that cause these attacks in this clip, which highlights the importance of awareness and diligence in Bluetooth security procedures

Video Transcript

I described an example where I'm jamming the peripheral in a network. I'm just continually jamming its packets and I'm putting energy on the central device so it cannot properly receive and deep code those packets from the peripheral. At some point, that central device is going to time out and it's going to drop that network connection.

When it does as an attacker, I can listen to that. I see the central hasn't been talking. Maybe for two or three connection intervals in a row. The next time I jump in and I pose as the central and I've hijacked that connection. And like there's an app for that turns out there's a hacker tool for that.

So beetleJack is a nice little code set that allows you to do this. You can you can jam a certain part of the of the the communication and then jump in when one of the devices goes away. So that's pretty clever. Not not nice, and I'm not suggesting anyone does this.

I'm just telling you how it works. It's clever. Another way to hijack a session is using something that is in the specification for good reason, but exploiting it in a way that allows me to take over one side of a connection. This concept is called window widening. And it's it's used to accommodate imperfect clock.

So if if I've got clock that's running my processor. It's running my modem. Everything is running off that clock. It's perfect to some error. To some parts per million that that is specified by the chip manufacturer. Well, the Bluetooth stack can take that input from the developer probably, the the developer's gonna hard code it because, you know, they know they know the chip that it's being used, and that information gets shared across the link.

As part of its capability sharing, you share what your number is. And then there's some equation that allows you to calculate what your window widening duration should be based on those values to accommodate the potential for clock drift so that we don't miss one another as we're popping through these frequencies.

So at the start of connection event, you have this anchor point. And window widening says, okay. From that anchor point, I'm going to wait a certain period of time dictated by this equation before I start transmitting I being the central device. Well, if I if I'm an attacker and I know what that window is, I can jump in after the anchor point and start communicating.

Well, if I if I'm lucky, the peripheral is listening long before the the legitimate central starts transmitting and I can I can slot myself in at posing as the central and there's nothing to indicate to the peripheral that I'm not that that guy?