New Bluetooth Vulnerabilities Could Expose Many Devices to Impersonation Attacks

Researchers working for a French government agency have identified seven new Bluetooth vulnerabilities that could expose many devices to impersonation and other types of attacks.

The flaws, discovered by researchers at France’s national cybersecurity agency ANSSI, affect devices that support the Bluetooth Core and Mesh specifications, which define technical and policy requirements for devices operating over Bluetooth connections.

Malicious actors who are within Bluetooth range can exploit the weaknesses to impersonate legitimate devices, according to an advisory published on Monday by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.

Advisories for each flaw have also been published by the Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards.

The vulnerabilities identified by ANSSI do not appear to be easy to exploit and most of them have mitigating factors, including related to the timing of the attack.

The list of organizations whose products have been confirmed to be affected — at least by some of the vulnerabilities — includes the Android Open Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology and Red Hat. Two dozen vendors appear to have confirmed that their products are not impacted. There are also 200 other vendors whose products could be vulnerable, but they currently have an “unknown” status in CERT/CC’s advisory.

Impacted vendors appear to be working on patches. In the case of Android, the mobile operating system is affected by three of the vulnerabilities, but only two will be patched with upcoming updates — the third has a negligible security impact, according to AOSP.

The vendors that have confirmed the vulnerabilities said their products appear to be mostly impacted by CVE-2020-26555 and CVE-2020-26558, both of which have been described as impersonation issues.

In the case of CVE-2020-26555, the Bluetooth SIG explained, “The attacker must be able to identify the [Bluetooth Device Address] of the vulnerable device before it can launch the attack, generally requiring the device to be discoverable. If successful, the attacker will be able to complete pairing with a known link key, encrypt communications with the vulnerable device, and access any profiles permitted by a paired or bonded remote device supporting Legacy Pairing.”

As for CVE-2020-26558, the organization explained that an attacker in range of two devices initiating Bluetooth pairing could authenticate one of the victim devices to their own device, but the attack does not allow for successful pairing between the devices, which prevents a fully transparent MitM attack.

The Bluetooth SIG has provided a series of recommendations for preventing exploitation of the vulnerabilities.

Related: Bluetooth Vulnerability Allows Attackers to Impersonate Previously Paired Devices

Related: BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Related: SweynTooth: Bluetooth Vulnerabilities Expose Many Devices to Attacks

Related: BLURtooth Vulnerability Can Allow Bluetooth MITM Attacks