Problems with Pairing
Pairing, the primary security mechanism between two Bluetooth devices, is not completely bulletproof. At least one attack against the pairing process has been known about since the initial release of the Bluetooth protocol. In a nutshell, if an attacker can sniff the pairing communication between two devices, he could then guess the PIN used in the process (it’s usually only four digits long). Once the PIN is guessed, the attacker could use the PIN and the sniffed data to derive the keys used by both devices to communicate. However, this attack requires relatively expensive hardware to execute, and most devices only pair with each other once in their lifetimes, making interception difficult.
A more realistic problem with pairing is that devices can be forced to lose their pairing association and may even attempt to automatically pair again. If an attacker knows the MAC address of a trusted device, he can spoof the MAC and attempt to make a secure connection to the other device. After a few failed attempts, the victim device will determine that its pairing partner has been lost. Usually, this realization will spawn a new pairing process on the victim device. If the user is unaware of what’s going on, she may blindly pair with the attacker, thereby giving the attacker access to the victim device.
The real catch here is if the victim device has a hard-coded PIN number for pairing. Some earbuds, mice, and even cars have preset PINs that cannot be changed. For devices that can be paired with multiple other devices at a time, this is an even bigger problem. Trifinite.org has released a program called Car Whisperer that exploits the fact that some cars have preset PINs and can pair with several devices. Using Car Whisperer, an attacker can talk to people in the car or even quietly eavesdrop on conversations in the car.