Academic researchers at the École Polytechnique Fédérale de Lausanne (EPFL), a research institute and university in Lausanne Switzerland, discovered a new vulnerability in the Bluetooth wireless protocol, which is used to interconnect modern devices like smartphones, laptops, IoT devices, and other smart devices.
In an official statement, the researchers stated that the vulnerability is dubbed BIAS (Bluetooth Impersonation Attacks) and the attacking device needs to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR connection with a Bluetooth address known to the attacker.
The BIAS Attack
The researchers found that it is possible for an attacking device to spoof the address of a previously bonded remote device to complete the authentication procedure with previously paired devices, without the link key.
Explaining the BIAS attack, research experts from the CERT Coordination Center, said, “An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. The BIAS attack could be combined with the Key Negotiation of Bluetooth (KNOB) attack to impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection, and brute force the session key.”
By initiating a KNOB attack, a threat actor could gain complete access as the remote paired device. If the attack is unsuccessful, the attacker cannot establish an encrypted link, but may still appear authenticated to the host, according to researchers.
The Bluetooth Special Interest Group (Bluetooth SIG) stated that it updated the Bluetooth Core Specification and recommended cross-checks for encryption-type to avoid a downgrade of secure connections to legacy encryption, which will be introduced in the upcoming specification. The Bluetooth SIG also urged users to install the latest updates from the device and operating system manufacturers.
“The Bluetooth SIG is strongly recommending that vendors ensure that reduction of the encryption key length below 7 octets is not permitted, that hosts initiate mutual authentication when performing legacy authentication, that hosts support Secure Connections Only mode when this is possible, and that the Bluetooth authentication not be used to independently signal a change in device trust without first requiring the establishment of an encrypted link,” the company said.
Other Bluetooth Vulnerabilities
Earlier, researchers from the Ohio State University revealed that mobile applications that work with Bluetooth devices have a built-in design flaw that makes them vulnerable to hacks. The researchers said the vulnerability lies in the way Bluetooth Low Energy devices, a type of Bluetooth used in modern gadgets, communicate with mobile apps. Wearable devices like smart speakers, health and fitness trackers or smart home assistants communicate with the apps on mobile devices by broadcasting UUID (Universally Unique Identifier), which allows the mobile apps to recognize the Bluetooth device, according to the research.