Bluetooth Vulnerability: BIAS

This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device:

Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS).

Our attacks are standard compliant, and are therefore effective against any standard compliant Bluetooth device regardless the Bluetooth version, the security mode (e.g., Secure Connections), the device manufacturer, and the implementation details. Our attacks are stealthy because the Bluetooth standard does not require to notify end users about the outcome of an authentication procedure, or the lack of mutual authentication. To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

News articles.

Posted on May 26, 2020 at 6:54 AM • 7 Comments

Comments

Clive RobinsonMay 26, 2020 10:33 AM

@ ALL,

And the major reason you should not use Bluetooth,

    "because the Bluetooth standard does not require to notify end users about the outcome of an authentication procedure, or the lack of mutual authentication."

This is a guaranteed security failure in any security system.

It's time to stop the "don't scare / overload / bamboozle the user" ethos so prevelent in software design.

Put simply if you can not see the way things are going, then sooner rather than later you are going to be driven over the edge... And if you are very lucky, the first thing you will know is that you have crashed and burned, if you are not so lucky then you are dead meat and the scavengers will pick your bones clean...

It's time users were alowed to, not just take control themselves but also to wise up.

However that runs contrary to the wishes of Silicon Valley and Washington State Corporates who reley on the "mushroom factor"[1] to be able to keep robbing people blind and destroying their privacy.

You could also argue that this is the way the US Government wants it to be as well, but they are far from alone in that aim in the Western Democracies.

[1] The Mushroom Factor or effect, is based on the fact that mushrooms are kept in the dark and fed a diet of bovine excrement. Which is in effect is what many "Western Democracies" do to their Citizens.

Roger Miller They Won't Get MeMay 26, 2020 10:52 AM

@Clive Robinson,

Sir, you are 100% on what you said in your post. Agree with every single thing you said.

I wish to add: the sheeple mentality that is created deliberately and intentionally, especially by our western governments, allows for ONE extremely bad outcome for "We The People" and that would be the following:
If majority, or it's pretty safe to say MOST of the population is complying by being lazy/ignorant/dumb then it is EXTREMELY EASY to SEE the outliers, the misfits, the NON-COMPLIANT ONES, you know - the ones that stand out by using PGP/GPG, VPN, TOR, etc. What are they trying to hide?

I am extremely saddened by my fellow human beings around the world for
"following the leader". Thank God for people like YOURSELF, whatever your real identity/name is, and thank God for Bruce Schneier for ENLIGHTENING and educating "We The People" regarding "what's out there".

PS:
Mr. Schneier,
Please denounce your support for PIA VPN (Private Internet Access)
as I have a great deal, A TON, of info that ties this VPN "provider"
to CIA. People pay them money for VPN subscriptions so they could
spy on them. WHAT A CONCEPT! It's getting old though.

h-t-t-p-s://www.youtube.com/watch?v=VsEec7uckrA

Michael WojcikMay 26, 2020 12:06 PM

I remember some guy pointing out the lack of security engineering in Bluetooth a few years back. Ah, yes, here it is.

I still remember reading that piece and shaking my head in dismay. And here we are twenty years later and the BSIG still haven't fixed basic security flaws in the architecture.

I'm shocked - shocked, I tell you.

(On an unrelated note, that was a good CRYPTO-GRAM. It also has Markus Kuhn and others commenting at length on the Unicode non-canonical-encoding problem, a significant source of security problems that, again, developers are still falling prey to after two decades.)

SteveMay 26, 2020 10:14 PM

@La Abeja,

Problem is not what you use Bluetooth for rather than it opens the door for being hacked. Take for example those apps push by governments and use for COVID19 tracking. People may think they are exposing a bit of their privacy by sharing their location but the real issue is your bank account can be emptied, your email account stolen and the list keeps going.

Ergo SumMay 26, 2020 10:37 PM

@Clive Robinson...

However that runs contrary to the wishes of Silicon Valley and Washington State Corporates who reley on the "mushroom factor"[1] to be able to keep robbing people blind and destroying their privacy.

You could also argue that this is the way the US Government wants it to be as well, but they are far from alone in that aim in the Western Democracies.

By this time, it's more like "robbed people blind and destroyed their privacy". There's no chance to reverse this in a world, where mining the new ore named data, at every possible junction where it can be found. It's good for the corporations, governments and therefore has to be good for the people...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.