Scientists at the Ecole Polytechnique de Lausanne (EPFL) have discovered a Bluetooth vulnerability that allows an attacker to remotely manipulate a paired device, exposing hackers to over a billion modern devices.
Attacks known as Bluetooth Impersonation AttackS or BIAS affect Bluetooth Classic, which supports both Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.
The Bluetooth specification contains vulnerabilities that enable attacks, such as changing identity when establishing a secure connection, according to the researchers in the article. These weaknesses include the lack of mandatory mutual authentication, the excessive permissiveness of roles and the fact that authentication procedures are degraded.
Given the widespread impact of vulnerability, the researchers said they responsibly communicated the results of the study to the Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, in December 2019.
The Bluetooth GIS has detected the error and made changes to correct the vulnerability. These changes will be made in future revisions of the specifications, according to GIS.
For the BIAS to be effective, the attacking device must be within range of the wireless network of the vulnerable Bluetooth device that previously established a BR/EDR connection to another Bluetooth device whose address is known to the attacker.
The downside is that two previously paired devices work with a long-term key, also known as a communication key, which allows the devices to authenticate each other and activate a secure connection between them.
The communication key also ensures that users do not have to pair their devices every time there is a data transfer between, for example, a wireless headset and a phone or between two laptops.
This allows an attacker to use the vulnerability to request a connection to a vulnerable device by falsifying the Bluetooth address on the other side and vice versa, forging the identity and gaining full access to the other device without using the long-term pairing key to establish the connection.
In other words, an attack allows the attacker to imitate the address of a device that was previously linked to the target device.
In addition, BIAS can be combined with other attacks, including KNOB (Key Negotiation of Bluetooth), which occurs when a third party forces two or more victims to accept a lower entropy encryption key, allowing the attacker to bypass the encryption key and use it to decrypt connections.
Equipment not upgraded since December 2019 including
According to the researchers, most standard Bluetooth devices were attacked, resulting in attacks on 30 devices, including smartphones, tablets, laptops, headsets and single-card computers such as Raspberry Pi. All devices have proven to be vulnerable to BIAS attacks.
The Bluetooth SIG announced that it was updating the basic Bluetooth specification to prevent secure connections from falling into the old encryption level, allowing an attacker to switch from one track to another and start authentication.
In addition to asking companies to install the necessary patches, the organization recommends that Bluetooth users install the latest updates from device and operating system manufacturers.
BIAS attacks are the first problems identified in the authentication methods used to establish secure Bluetooth connections, simultaneous role changes and the downgrading of secure connections, the research team concluded. BIAS attacks are invisible because a secure Bluetooth connection does not require user interaction.