Hacking Wireless Headsets

Those cool wireless headsets keep your hands free - and give hackers the ability to eavesdrop on your conversations

Dark Reading Staff, Dark Reading

January 22, 2008

5 Min Read
Dark Reading logo in a gray background | Dark Reading

In offices all over the world, users are becomingly increasingly enamored with those wireless "hands-free" headsets that allow the speaker to move around the office while continuing a conversation on the phone. But have you ever wondered how secure those headsets are? So have we. Recently, we had the chance to find out – and what we discovered was downright scary.

If you don't know us, Secure Network Technologies is a penetration testing firm that focuses closely on issues of physical security and social engineering. We were recently hired by a large organization to assess network security and other potential vulnerabilities. Always anxious to try new things, we asked to test wireless signals leaving the building – including wireless access points, radio frequencies – and potential vulnerabilities in those hot little hands-free headsets.

To perform the work, we purchased a commercially available radio scanner. These devices are available at any local electronics retailer at prices ranging from $80 to several thousand dollars. We chose a scanner capable of monitoring frequencies from 900-928 Mhz and the 1.2 Ghz ranges, which is where many of the popular hands-free headsets operate.

We took a position across the street from the facility and started up the scanner. Within seconds of turning on the device we were able to listen to conversations that appeared to be coming from our client's employees. Several of these conversations discussed the business in detail, as well as very sensitive topics. After some careful listening, we determined that the conversations were indeed coming from our customer.

After confirming that the sources of the conversations were on our client's premises, we made a note of the specific frequencies that were used, and locked in on them. We could then record the conversations digitally in the scanner. Within minutes of this discovery we contacted our customer and explained the vulnerability. We felt this issue could not wait for our final report.

To demonstrate the sensitivity of what we discovered, we used the conversations we recorded to social-engineer our way into to the facility. We gathered the names of people mentioned during conference calls, as well as other specifics about each person. We then singled people out that were foreign to the location we planned to enter. We singled out the names of people whom the callers had never met, people who had never been to location, and people who were new to the organization.

Our plan was to assume an identity of an employee who had never been to the office we were testing. Using that identity, we would enter the building, commandeer a place to sit and work, then see how long we could stay inside the building. After zeroing in on a particular employee, we gathered as much intelligence on him as we could. To prepare for the entry into the facility, we printed a business card with our assumed identity. I put on my best suit, and then went to work.

When I entered the building, I was greeted by security. I indicated I was an employee and was in town to work. I handed the security guard a business card and was welcomed with a smile. After escorting me to a cube, the guard showed me where the restroom was, where I could get a cup of coffee, and how to go about getting a building access card.

After getting settled into my new workspace, I plugged my laptop into the network, started my network scanning tool, and retreated to the cafeteria for lunch. Upon my return, I was presented with a card access key to the building. The card was accompanied by a document outlining security policies regarding its usage – clearly, the people who issued it never checked deeper into who I really was.

With card in hand, I started exploring the building. I had almost complete access. In the few places where the card did not work – such as the server room and fitness center – I used additional social engineering tactics to gain access.

By day two, I was already accepted as an employee. In the morning, I was greeted by my would-be coworkers and security folks. I began to take some liberties, such as booking conference rooms, asking for refreshments, and gaining permission to bring in a "vendor" – actually Doug Shields, my partner here at Secure Network. In all, I spent three days inside the building, gaining access to numerous types of information, resources, and technology.

Our social engineering effort was just one exploit – the real danger is the information that was being emitted from the company through the wireless headsets. This technology is convenient, but it is opening companies up to potential calamity. With the data we heard, we could have made a stock play, provided valuable information to a competitor, or gone to the press with scandalous data.

We also noted that when conversations ended, the headsets became bugging devices. Even after calls were terminated, we could hear the headset-wearers breathing, as well as any other conversations that were going on in the office.

We were interested in this vulnerability, so we asked for permission from other clients to test it out at their locations as well. We ended up intercepting communications ranged from financial institutions, health care, and variety of other professions and industries. We heard conversations from administrators of computer network, C-level executives, legal departments, and management teams.

What did we prove? That many companies which fear security breaches and eavesdropping are actually bugging their own offices, and spilling their private content over the open air waves without their knowledge. The problem is not unlike the early days of wireless LANs and WiFi, when the technology became popular before adequate security was developed.

What can you do about it? The first step is to recognize the vulnerability. These headsets generally operate at 900MHz and, as we learned, are not necessarily secured with encryption. Find out who's using the technology and where. Secondly, you should consider doing a scanning test, as we did for our client. It's worth $80 to make sure your corporate secrets are not unintentionally leaking out of the building via wireless headsets.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights