Academics have disclosed a security flaw in Bluetooth technology that affects “basically all devices that ‘speak Bluetooth’.”
According to the researchers, the attack – which the team called Bluetooth Impersonation Attacks (BIAS) – allows malicious parties to impersonate the address of a device that has previously paired with the target device.
This can allow an attacker to negotiate a reduced encryption key strength – from mutual authentication to unilateral authentication – become the new authenticator, and start a secure session.
“Our attacks are standard-compliant, and can be combined with other attacks,” said the researchers.
All Bluetooth devices at risk
“The BIAS attack is possible due to flaws in the Bluetooth specification,” said the researchers.
“As such, any standard-compliant Bluetooth device can be expected to be vulnerable.”
They said they had tested the attack on over 28 unique Bluetooth chips by attacking 30 different devices – all of which were vulnerable to the attack.
Devices tested include smartphones from Apple, Samsung, Google, and LG; laptops from Apple, HP, and Lenovo; and headphones from Philips and Sennheiser.
Chips that were tested include those from Qualcomm, Apple, Intel, and Samsung.
System-on-chip boards such as the Raspberry Pi were also tested and found to be vulnerable.
The research team said it disclosed the attack in December 2019, and since then, it is possible that some affected vendors have implemented workarounds for the vulnerability.
“So the short answer is: if your device was not updated after December 2019, it is likely vulnerable,” said the researchers.
“Devices updated afterwards might be fixed.”
Bluetooth SIG responds
Bluetooth SIG confirmed the vulnerability and added that the negotiation of reduced encryption key strength is possible if the target device is still vulnerable to the Key Negotiation of Bluetooth attack which was disclosed last year.
It said it is updating the Bluetooth Core Specification to resolve the issue.
“The Bluetooth SIG is updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption,” it said.
It added that this will be introduced into a future specification revision, and until this occurs, recommended that vendors ensure the following:
- Reduction of the encryption key length below 7 octets is not permitted.
- Hosts initiate mutual authentication when performing legacy authentication.
- Hosts support Secure Connections Only mode when this is possible.
- Bluetooth authentication should not be used to independently signal a change in device trust without first requiring the establishment of an encrypted link.
“The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches,” the organisation said.