BlAS (Bluetooth Impersonation Attacks) Vulnerability
I. Targeted Industries
- General Businesses
- Government Agencies
- Independent Organizations
- General Public
Bluetooth is a short-range wireless communication technology used by billions of devices and people who heavily rely on it. Recently, however, researchers at the École Polytechnique Fédérale de Lausanne (EPFL) discovered a security vulnerability in the Bluetooth pairing protocol. The protocol is known as Basic Rate/ Enhanced Data Rate, Bluetooth BR/EDR, or simply Bluetooth Classic. The vulnerability is labeled BIAS, or Bluetooth Impersonation Attacks. It allows attackers to spoof the identity of a previously paired device and successfully authenticate and connect to other devices without knowing the link key or long-term key.
III. Background Information
To establish an encrypted connection, two Bluetooth devices must pair using a link key. An unauthenticated, within range attacker, could spoof the address of either of the previously paired devices even though the attacker does not have the link key. Researchers identified two ways in which this can be done, depending on the Secure Simple Pairing method used. Please note that due to Bluetooth’s limited range, an attacker must be within Bluetooth range of an enabled Bluetooth device.
One way is through the Secure Connections method. This method would allow the attacker to claim to be the previously paired device that no longer supports secure connections. This downgrades the authentication security and allows attackers to proceed with their attack using a legacy secure authentication. However, this would not occur if the device were under Secure Connections mode only.
If the attacker succeeds then, they could also use a second method in which the attacker becomes the master role instead of the slave (known as a role switch) and be the authentication initiator between the devices. If successful, authentication is completed between devices. Even if the attacked device does not authenticate mutually with the master role attacker, it will still result in authentication even though the attacker does not possess the link key.
Researchers also mentioned that the BIAS (CVE-2020-10135) could be combined with the KNOB (CVE-2019-9506) vulnerability to break authentication even on Bluetooth devices with the secure authentication mode. Bluetooth capable devices should receive patches for both vulnerabilities to be safe.
The Bluetooth Special Interest Group (SIG) is working with member organizations to develop updates and recommendations to the Bluetooth Core Specification. Please see the Recommended Link below for more details. In the interim:
- Stay Informed
Stay informed on the evolving issues, and further recommendations as researchers continue to investigate this vulnerability.
- Update Bluetooth
Update your Bluetooth enabled devices with the newest software updates and patches as they become available.
- Consider applicable recommendations from the Bluetooth SIG
Bluetooth has given some short-term recommendations for vendors and hosts to use while the patch is being worked on.
V. Indicators of Compromise
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) “CERT/CC Vulnerability Note VU#647177.” VU#647177 – Bluetooth devices supporting BR/EDR are vulnerable to impersonation attacks, May 18, 2020. https://www.kb.cert.org/vuls/id/647177/.
(2) Cimpanu, Catalin. “Smartphones, Laptops, IoT Devices Vulnerable to New BIAS Bluetooth Attack.” ZDNet. ZDNet, May 18, 2020. https://www.zdnet.com/article/smartphones-laptops-iot-devices-vulnerable-to-new-bias-bluetooth-attack/.
(3) “Security Notice.” Bluetooth® Technology Website. Accessed May 22, 2020. https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/bias-vulnerability/ .