Bluetooth Standard Vulnerable To Unpatched Spoofing Attack

Academic researchers have warned of weaknesses in the Bluetooth standard that could allow an attacker to take over a device by posing as a previously paired Bluetooth contact.

The vulnerability affects all devices using the standard and is unlikely to be patched in the near future, as it requires changes to the specification itself.

However, the Bluetooth Special Interest Group (SIG) said manufacturers can mitigate the risk by ensuring more stringent safety checks.

The vulnerability comes at a time when governments are rolling out coronavirus contact-tracing apps that rely on Bluetooth.

BIAS attack

Such apps require Bluetooth to be left switched on, and may encourage attackers to try their luck at compromising nearby devices.

The research was carried out by the EPFL in Lausanne, CISPA in Saarbrücken and the University of Oxford in the UK.

The vulnerabilities, which the researchers collectively called Bluetooth Impersonation AttackS (BIAS), affect the pairing process.

They include the lack of mandatory mutual authentication, overly permissive role switching and an authentication procedure downgrade, the researchers said in a new study.

“Our attacks are standard-compliant, and are therefore effective against any standard-compliant Bluetooth device regardless of the Bluetooth version, the security mode (e.g., Secure Connections), the device manufacturer, and the implementation details,” they wrote.

The attacks can be carried out without the target being aware because the standard does not require users to be notified about the outcome of an authentication procedure, or of the lack of mutual authentication, the researchers said.

Specification update

They said attacks had been carried out against 31 devices involving 28 unique Bluetooth chips, from manufacturers including Apple, Broadcom, CSR, Cypress, Intel, Qualcomm and Samsung.

Attacks can be made more effective when used along with an attack disclosed last year called the Key Negotiation of Bluetooth (KNOB) attack.

The Bluetooth SIG noted that the attacker must know the Bluetooth address of a device that has previously been paired with the device that is targeted by the attack.

“For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker,” the SIG said in an advisory.

The SIG said it is updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication in legacy authentication processes and to recommend checks for encryption type to avoid a downgrade of secure connections to older forms of encryption.

The changes are to be introduced in a future specification revision.

Mitigation

In the meantime, however, the SIG said it was “strongly” recommending that vendors update their own Bluetooth implementations to mitigate against BIAS attacks.

The group said vendors should ensure that the reduction of the encryption key length below 7 octets is not permitted, that hosts initiate mutual authentication when performing legacy authentication, that hosts support Secure Connections Only mode when possible and that Bluetooth authentication not be used to independently signal a change in device trust without first requiring the establishment of an encrypted link.

The group said it was communicating details of the BIAS vulnerabilities and mitigations to member companies and is encouraging them to issue patches.

“As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers,” the group said.

In February Google patched a vulnerability called BlueFrag that affected older Bluetooth implementations in Android.  The bug could have allowed data theft or the installation of malware.

A 2017 Bluetooth flaw called Bluebourne affected a broad range of devices and could be executed without the user being aware.