Comment by mi_lk

1 month ago

> This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ..

That doesn't sound very serious if they're exposed, is it? Can it be used to eavesdrop my conversation if I'm speaking through the headphone

6 comments

mi_lk

Reply
DangerousPie  1 month ago

They also demonstrated how this could be used to silently find out someone’s phone number and then hijack a TFA validation call from an app like WhatsApp to take over their account with no user interaction.

  • Fnoord  1 month ago

    This attack was not silent, it was noisy. They specifically pointed that out in their talk.

    • rolandog  1 month ago

      Right, but isn't it noisy ... at the headphone level? (i.e. not heard when not wearing them?).

      What I'm getting at is that I think the risk varies depending on how often you leave the headset paired; for example, if the headphones are over-ear, those are more prone to not be turned off --- and remain connected; thus, a greater chance of success for establishing a BlueTooth classic connection without getting noticed and performing the WhatsApp account take-over until they listen to "I'm gonna take a shower, honey!" in the distance.

miduil  1 month ago

the session (or pairing key) means you can both connect to the headphone or impersonate it.

It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.

During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.

  • mi_lk  1 month ago

    presumably, even in hands-free mode the attacker needs to be very close to the speaker to hear it

    • avidiax  1 month ago

      If you have a Bluetooth analyzer (e.g. Ellisys), then the link key and a directional antenna is all you need to passively eavesdrop on a conversation at a distance.

      Of course, even regular omnidirectional Bluetooth antennas are plenty to eavesdrop through a hotel room door, from the hallway outside a conference room, etc.

      An attacker can also passively record all the packets in an area (Ellisys allows recording all channels at the same time), and then actively gather link keys using this attack at any time to decrypt the stored conversations.