A Swiss research institute has uncovered yet another vulnerability in Bluetooth protocol that leaves millions of devices open to attack.
Last year the same team of researchers revealed what they called a “novel and powerful” Key Negotiation of Bluetooth (KNOB) attack that impersonated the receiver of sensitive files and transmitted encrypted commands to unlock a device. Now they have found an even more serious vulnerability that could affect 75% of devices. This is the third unwanted revelation since the beginning of 2020 when a German security group uncovered a critical flaw in Android’s Bluetooth implementation that allowed stealth remote attacks. Google says it has since issued a fix.
The newly named Bluetooth Impersonation AttackS (BIAS) gives an attacker access by letting them pose as a previously trusted Bluetooth device. The Swiss Federal Institute of Technology in Lausanne demonstrated that the Bluetooth standard still has flaws allowing an attacker to impersonate another device and establish a secure connection with a victim, without possessing the long-term security key shared by the impersonated device and the victim.
Institute researchers said that the hacker needs nothing more than a Raspberry Pi to invade a laptop, mobile phone, smartwatch, or even earphones. The attack does not need great sophistication and the victim will be totally unaware. Almost thirty Bluetooth chips of the 36 tested devices were found to be vulnerable. They included chips from Apple, CSR, Cypress, Intel, Qualcomm and Samsung. Although the vulnerability was reported to manufacturers last December, only a few have issued fixes or workarounds and provided updates to users.
When two Bluetooth devices pair up, a long-term encryption key is exchanged and stored. If, for example, a smartphone user looks at their Bluetooth setup screen they see a list of previously known connections that permit devices to connect again without reissuing the encryption key.
This attack focuses on the Bluetooth Classic protocol supporting Basic Rate and Enhanced Data Rate modes. Vulnerability exists in the device’s failure to check the authenticity of a hacker impersonating a known device using a captured long-term encryption key. Only the initial long-term key for a Bluetooth secure connection is encrypted. Subsequent mutual authentication is not required for any connection, so devices using Bluetooth hook-ups rely on old, less secure connection protocols that allow attack by hackers.
The Swiss researchers discovered that any standard-compliant Bluetooth device can be expected to be vulnerable. The Bluetooth Special Interest Group (SIG) that oversee Bluetooth protocols says it will be updating the Bluetooth Core Specification covering mutual authentication rules and tightening security protocols.
