Inherent weaknesses in short-range radio technology laid bare

Bluetooth pairing, pwned: Security researchers discover fresh wave of impersonation attack flaws in wireless tech

Attackers were able to impersonate legitimate devices during the Bluetooth pairing process because of inherent security weaknesses in the Bluetooth Core and Bluetooth Mesh specifications that underpin the ubiquitous wireless technology.

Researchers at ANSSI – the French equivalent of the UK’s GCHQ – uncovered flaws in each specification that allow device impersonation and AuthValue disclosures.

A total of six vulnerabilities (CVE-2020-26555 through CVE-2020-26560) were uncovered by the research.

The vulnerabilities are featured in a paper, ‘BlueMirror: Reflections on the Bluetooth Pairing and Provisioning Protocols’, that’s due to be presented by ANSSI researchers Tristan Claverie and José Lopes Esteves at the WOOT conference tomorrow (May 27).

BIAS: Bluetooth Impersonation Attacks

The clutch of vulnerabilities discovered by ANSSI builds on prior research into so-called ‘Bluetooth Impersonation Attacks’ (BIAS), which was revealed by academics last year.

As with the 2020 paper (PDF), this latest batch of flaws is of particular significance because they each relate to core Bluetooth specifications and not simply a poor implementation of the technology.

As outlined in the BlueMirror research, unpatched devices supporting the Bluetooth Core Specification are affected by the following vulnerabilities: impersonation in the Passkey Entry Protocol (CVE-2020-26558); impersonation in the Pin Pairing Protocol (CVE-2020-26555); and impersonation in Bluetooth Mesh Provisioning (CVE-2020-26560).

In addition, predictable AuthValue in Bluetooth Mesh Provisioning opens the door to potential manipulator-in-the-middle (MitM) attacks, a vulnerability tracked as CVE-2020-26557.

Catch up on the latest mobile security news

Another flaw means the Mesh Provisioning procedure could allow an attacker to identify the AuthValue directly without brute-forcing its value (CVE-2020-26559).

On top of this, the authentication protocol is vulnerable if the AuthValue can be identified during the provisioning procedure, even if the AuthValue is selected randomly (CVE-2020-26556).

Lastly, the researchers also identified a potential security vulnerability involving LE Legacy Pairing authentication in Bluetooth Core Specification versions 4.0 through 5.2.

The flaw means an “attacker can reflect the confirmation and random numbers of a peer device in LE legacy pairing to successfully complete legacy authentication phase two without knowledge of the temporary key”.

Upstream patches

Fortunately, the Bluetooth Core and Bluetooth Mesh BIAS vulnerabilities were responsibly disclosed some months ago, and protections are already largely in place.

However, Bluetooth users should “ensure that they have installed the latest recommended updates from device and operating system manufacturers”, according to an advisory from the US-CERT Coordination Center.

The advisory offers a rundown of which wireless and other technology providers are affected by the Bluetooth flaws.

Myriad threats

Neil Peacock, joint founder of Blok Cyber Security, told The Daily Swig that tricking targets into pairing with an attacker-controlled device is one of several ways that Bluetooth can be hacked.

“Bluetooth attacks have been around for years, ever since it launched,” according to Peacock. “The Cabir worm was the first known wireless worm that could transmit itself to mobile phones. Since Cabir, threats to Bluetooth have become more sophisticated.”

Peacock said Bluetooth devices can also be hacked by pairing with them without the owner’s knowledge and accessing personal data, and tricking victims into pairing with an unknown device whose name typosquats on the name of a device they trust (thus giving hackers access to the entire device).

Other threats include hacked headsets that allow malicious people to listen to your conversations, and, similarly, Bluebugging, where attackers remotely access a user’s phone.

“The cybersecurity threat to Bluetooth should not be underestimated and we should all take steps to protect ourselves before hackers steal confidential information,” Peacock concluded, adding that the threat level is such that Bluetooth should be switched off when not in use.

RECOMMENDED Open source ecosystem ripe for dependency confusion attacks, research finds