Bluetooth pairing flaw exposes devices to BIAS attacks

Bluetooth SIG has been forced to update the core specification after researchers reveal a severe flaw in BR/EDR pairing

Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.

The Bluetooth Special Interest Group (SIG) has been forced to update its specification after academics disclosed the vulnerability in the way connections are made between devices using BR/EDR. This configuration is also known as Bluetooth Classic.

Bluetooth Impersonation Attacks (BIAS) can be triggered after two devices have been paired, with hackers able to exploit the flaw to break security mechanisms and impersonate a device towards the host. This is according to research published by academics.

The flaw lies in the way two devices handle the long-term key that establishes their connection. Such a key is generated when two Bluetooth devices bond for the first time and derive keys for future connections without device owners undergoing the same arduous pairing process.

The BIAS attack was tested on more than 28 unique Bluetooth chips manufactured by a wide range of companies including Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All 30 devices tested by the academics were vulnerable.

Following initial bonding, hackers can fake the identity of previously paired devices and successfully connect without having to know the long-term pairing key that was established. From here, they can access data from a targeted device or take control of one.

BIAS can also be combined with other attacks, such as the Key Negotiation of Bluetooth (KNOB) attack, which was disclosed last year by the same research team. KNOB can be deployed to force participants in a Bluetooth key exchange to use an encryption key with just one byte of entropy, meaning hackers can successfully brute-force the key. From there, they're able to intercept on data being passed between devices.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” said authors Daniele Antonioli, Nils Ole Tippenhauer and Kasper Rasmussen. 

“The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction. The BIAS attacks are at the architectural level of Bluetooth, thus all standard-compliant Bluetooth devices are a potential target.”

Bluetooth SIG, which oversees the Bluetooth standard, said it’s updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication and recommend checks for encryption-types to avoid a downgrade of secure connections. 

These changes will be introduced in a future specification revision, though until that occurs, the organisation has strongly recommended that vendors ensure the reduction of the encryption key length is not permitted. They should also take a number of additional steps to ensure security measures remain robust.

Some vendors may have implemented workarounds for the vulnerability when the researchers privately disclosed their attack in December 2019. As a result, users whose devices haven’t been updated after December 2019 are likely to be vulnerable, and devices updated since may have already been fixed.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020