New Bluetooth Attack

New attack breaks forward secrecy in Bluetooth.

Three news articles:

BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions’ forward and future secrecy, compromising the confidentiality of past and future communications between devices.

This is achieved by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, thus weak and predictable session key (SKC).

Next, the attacker brute-forces the key, enabling them to decrypt past communication and decrypt or manipulate future communications.

The vulnerability has been around for at least a decade.

Tags: , , , , ,

Posted on December 8, 2023 at 7:05 AM7 Comments

Comments

yet another bruce December 8, 2023 10:24 AM

From the Register article

While the issue was fixed in Linux in 2020, Newlin says ChromeOS is the only Linux-based operating system that enabled the fix. Other Linux distros including Ubuntu, Debian, Fedora, Gentoo, Arch and Alpine left it disabled by default. Ubuntu 18.04, 20.04, 22.04, 23.10 remain vulnerable, we’re told.

Any idea why a fix like this would be made but not enabled?

Mexaly December 8, 2023 1:27 PM

Damn. I don’t think my 2012 car is going to get an update.
At least, it’s so old that only the stereo uses bluetooth.
OTOH I’ll soon have a better reason to swap out my Lightning accessories for USB C.

Stevie December 8, 2023 2:00 PM

Does anyone have a working paper link? I don’t wish to “Enable JavaScript and cookies to continue” as the ACM and Bruce’s first 4 links demand, and Sci-Hub is blocking me today.

Stevie December 8, 2023 7:54 PM

wayback will work without enabling javascript

Unofficially, certain features work if one knows the URL formats (like https://web.archive.org/save/ followed by a URL, or with “save/” removed to see the latest version); and archived links work. Officially, though, “The Wayback Machine requires your browser to support JavaScript”; for example, it’s not possible as far as I know to get lists of pages or page versions.

Anyway, your provided link and its “published paper” link did work; thanks!

Matthijs van Duin December 16, 2023 8:33 PM

Any idea why a fix like this would be made but not enabled?

Note that all the patch does is change the default value of a certain configuration option (ClassicBondedOnly) from false to true:

-# Defaults to false to maximize device compatibility.
+# Defaults to true for security.

The commit that added this setting (with false as default) said in its commit message:

While some older mice are known to not support pairing or encryption, some platform may choose a more secure posture by requiring the device to be bonded

In other words, changing this default is going to lead to the user experience of “this update broke my mouse” for some people.

Zulu Time --Incorrect December 17, 2023 3:53 PM

This may be of intrest. FYI

Net time servers are off of correct time.
*** UTC/GMT/Zulu: time is being messed with by someone.
Time servers? Microsoft specific? I believe it is network time services.
Have noticed this for over a week on and off. Is sporadic failure.
Go to TimeAndDate.com and look at Zulu time, looks correct right? No it is not.
time is reverse of am and pm. Late at night as day changes it becomes obvious. Day is off. They are doing this on weekends.

This is an important issue. Hope someone here has contacts to investigate and relay info to correct powers. I’m staying out of it. We live in strange times. Criminals are now in charge of everything. People have lost their minds. A UTC time issue is serious. Are the criminal investor houses doing it to game markets? Covering up the collapse? No real time actions? Military actions? Just speculation.

But UTC-GMT-Zulu time is being screwed with by someone. Checked multiple time sources.

Everything is now lied about. Lie about the weather. Now about the time.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.