Bluetooth pairing flaw exposes devices to BIAS attacks

Bluetooth SIG has been forced to update the core specification after researchers reveal a severe flaw in BR/EDR pairing

Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.

The Bluetooth Special Interest Group (SIG) has been forced to update its specification after academics disclosed the vulnerability in the way connections are made between devices using BR/EDR. This configuration is also known as Bluetooth Classic.

Advertisement - Article continues below

Bluetooth Impersonation Attacks (BIAS) can be triggered after two devices have been paired, with hackers able to exploit the flaw to break security mechanisms and impersonate a device towards the host. This is according to research published by academics.

The flaw lies in the way two devices handle the long-term key that establishes their connection. Such a key is generated when two Bluetooth devices bond for the first time and derive keys for future connections without device owners undergoing the same arduous pairing process.

The BIAS attack was tested on more than 28 unique Bluetooth chips manufactured by a wide range of companies including Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All 30 devices tested by the academics were vulnerable.

Following initial bonding, hackers can fake the identity of previously paired devices and successfully connect without having to know the long-term pairing key that was established. From here, they can access data from a targeted device or take control of one.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

BIAS can also be combined with other attacks, such as the Key Negotiation of Bluetooth (KNOB) attack, which was disclosed last year by the same research team. KNOB can be deployed to force participants in a Bluetooth key exchange to use an encryption key with just one byte of entropy, meaning hackers can successfully brute-force the key. From there, they're able to intercept on data being passed between devices.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” said authors Daniele Antonioli, Nils Ole Tippenhauer and Kasper Rasmussen. 

“The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction. The BIAS attacks are at the architectural level of Bluetooth, thus all standard-compliant Bluetooth devices are a potential target.”

Bluetooth SIG, which oversees the Bluetooth standard, said it’s updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication and recommend checks for encryption-types to avoid a downgrade of secure connections. 

Advertisement - Article continues below

These changes will be introduced in a future specification revision, though until that occurs, the organisation has strongly recommended that vendors ensure the reduction of the encryption key length is not permitted. They should also take a number of additional steps to ensure security measures remain robust.

Some vendors may have implemented workarounds for the vulnerability when the researchers privately disclosed their attack in December 2019. As a result, users whose devices haven’t been updated after December 2019 are likely to be vulnerable, and devices updated since may have already been fixed.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020