Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Bluetooth Vulnerability Allows Attackers to Impersonate Previously Paired Devices

A vulnerability related to pairing in Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) connections could be exploited to impersonate a previously paired device, researchers have discovered.

A vulnerability related to pairing in Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) connections could be exploited to impersonate a previously paired device, researchers have discovered.

The security flaw allows for an attacker within Bluetooth range of an affected device to spoof the Bluetooth address of a previously bonded remote device, thus successfully authenticating without knowing the link key normally used for establishing an encrypted connection.

“It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS),” a CERT Coordination Center (CERT/CC) alert reads.

In a statement published on this vulnerability, the Bluetooth Special Interest Group (SIG) explains that the attacks allow hackers to “negotiate a reduced encryption key strength” if the device is still vulnerable to the KNOB (Key Negotiation of Bluetooth) attack disclosed last year.

The attacker could attempt to brute-force the encryption key and spoof the remote paired device. If the attack is not successful, the encrypted link is not established, but the attacker may still appear authenticated to the host.

For the attack to be successful, the attacker needs to know the Bluetooth address of the remote device to which the target was previously paired. Tracked as CVE-2020-10135, the vulnerability has a CVSS score of 4.8.

The vulnerability can be exploited in two manners, depending on the Secure Simple Pairing method (Legacy Secure Connections or Secure Connections) used to establish the previous connection with the remote device.

The first method allows the attacker to downgrade the authentication security and proceed with the BIAS method. If they can downgrade authentication or the device does not support Secure Connections, the attacker can initiate a master-slave role switch to become the authentication initiator.

Advertisement. Scroll to continue reading.

“If successful, they complete the authentication with the remote device. If the remote device does not then mutually authenticate with the attacker in the master role, it will result in the authentication-complete notification on both devices, even though the attacker does not possess the link key,” the CERT/CC alert reads.

To mitigate the issue, vendors are advised to ensure that the encryption key length cannot be reduced below 7 octets and that hosts initiate mutual authentication or support Secure Connections Only mode when this is possible. Moreover, they should ensure that an encrypted link is required for the Bluetooth authentication to be used to independently signal a change in device trust.

“To remedy this vulnerability, the Bluetooth SIG is updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption,” Bluetooth SIG notes.

Related: New Bluetooth Vulnerability Allows Attackers to Intercept Traffic

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

Related: Google’s Titan Security Keys Vulnerable to Bluetooth Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.