Researchers at École Polytechnique Fédérale de Lausanne (EPFL) have uncovered a significant security vulnerability in Bluetooth technology that can enable attackers to spoof devices that were previously paired. This flaw potentially puts over a billion modern devices at risk of unauthorized access.
The vulnerability, referred to as the Bluetooth Impersonation AttackS (BIAS), targets Bluetooth Classic technology, which facilitates wireless data transfer via Basic Rate (BR) and Enhanced Data Rate (EDR). The researchers note that the Bluetooth specification contains design flaws that leave it susceptible to impersonation during the establishment of secure connections. Key issues identified include a lack of compulsory mutual authentication, lenient role-switching rules, and downgrades in the authentication process.
In light of the vulnerability’s extensive implications, the researchers made a responsible disclosure to the Bluetooth Special Interest Group (SIG) in December 2019. The group, which is responsible for overseeing Bluetooth standards, has since acknowledged the flaw and has committed to issue changes in future specifications to mitigate the risk.
For an attacker to successfully execute the BIAS attack, they must be within the wireless range of a vulnerable Bluetooth device that has established a BR/EDR connection with another device whose address they possess. This vulnerability arises from how connected devices manage the long-term key, or link key, used for mutual authentication and secure communications.
The way the link key is utilized allows a malicious actor to initiate a connection to a target device by fabricating the Bluetooth address of a previously paired device. This capability effectively grants the attacker complete access to the target device without needing the original long-term pairing key. In essence, the attack enables an adversary to masquerade as a device that is already linked to the target.
Importantly, BIAS can be exploited in conjunction with other vulnerabilities, such as the Key Negotiation of Bluetooth (KNOB) attack. This involves a third party coercing multiple devices to agree on a weakened encryption key, which the attacker can then brute-force to decrypt communications.
Given the widespread nature of the vulnerability, the researchers tested the BIAS attack on approximately 30 devices, including smartphones, laptops, and single-board computers like Raspberry Pi, all of which were found to be susceptible. The Bluetooth SIG is proactively updating the Bluetooth Core Specification to preclude downgrades in secure connections that allow attackers to manipulate device roles.
Despite these ongoing efforts, the organization is advising technology firms to apply relevant patches and urging Bluetooth users to install the latest updates from their device and operating system vendors. The findings underscore crucial issues within Bluetooth’s secure connection authentication procedures, highlighting that these stealthy BIAS attacks do not require user interaction.
The potential implications of this vulnerability are significant, warranting heightened vigilance from business owners and cybersecurity professionals alike as they assess their devices and systems for potential risks. The ongoing development of mitigation strategies will be essential in fortifying against these and similar threats in the future.