Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher

An academic researcher demonstrates BLUFFS, six novel attacks targeting Bluetooth sessions’ forward and future secrecy.

Bluetooth

EURECOM assistant professor Daniele Antonioli has demonstrated a series of novel attacks targeting Bluetooth sessions’ forward and future secrecy.

By compromising a session key, an attacker can impersonate devices and set up man-in-the-middle (MitM) attacks, effectively breaking the future and forward secrecy guarantees of Bluetooth’s pairing and session establishment security mechanisms.

Called BLUFFS (Bluetooth Forward and Future Secrecy), the attacks exploit two novel vulnerabilities in Bluetooth, impacting the unilateral and repeatable session key derivation. Tested on 17 different Bluetooth chips, the attacks have a large-scale impact on the ecosystem, the academic researcher says.

“As the attacks affect Bluetooth at the architectural level, they are effective regardless of the victim’s hardware and software details,” Antonioli notes in his research paper.

The BLUFFS attacks enable a hacker to brute-force the session encryption key in real time, which can allow them to conduct live injection attacks on traffic between the targeted devices, according to the Bluetooth Special Interest Group (SIG), which assigned CVE-2023-24023 to the issue.

In addition to detailing the attacks, the researcher has released a low-cost toolkit that relies on seven patches for the manipulation and monitoring of Bluetooth session key derivation.

Antonioli also developed an enhanced key derivation function for Bluetooth that prevents all six attacks and the underlying causes, and which can be integrated into the standard.

The BLUFFS attacks assume the fact that an attacker within Bluetooth range of two victim devices can capture packets in plaintext, knows the victim’s Bluetooth address, can craft packets, and negotiate arbitrary capabilities.

Advertisement. Scroll to continue reading.

The attack scenario assumes that the adversary is targeting the victim device’s current Bluetooth session, and that they can reuse a weak session key to decrypt both past and future messages (breaking both forward and future secrecy).

According to the researcher, the BLUFFS attacks are rooted in four architectural vulnerabilities related to Bluetooth session establishment, including two novel issues that allow the derivation of the same key across sessions.

The first bug resides in the fact that, in a Central-Peripheral pair, Bluetooth allows the Central to set all session key diversification values, thus allowing an attacker to unilaterally drive key diversification when impersonating a Central.

The second issue, Antonioli says, is that while random numbers are used in key diversification, nonces are not used, meaning that the numbers can be “reused in past, present, and future sessions without violating the standard”.

An attacker who knows a triplet and the corresponding weak session key “can force the victims to derive the same attacker-controlled session key across sessions”, the researcher says.

With all tested chips and devices vulnerable to the newly devised attacks, the “BLUFFS attacks are practical and have a large-scale impact on the Bluetooth ecosystem,” the researcher says.

The Bluetooth SIG was informed about the attack methods in October 2022, and tech giants such as Google, Intel, Apple, Qualcomm and Logitech have also been notified. Several of them have confirmed working on fixes. 

Related: Researchers Devise New Type of Bluetooth LE Relay Attacks

Related: Researchers Release PoC Tool Targeting BrakTooth Bluetooth Vulnerabilities

Related: BLURtooth Vulnerability Can Allow Bluetooth MITM Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.