EURECOM assistant professor Daniele Antonioli has demonstrated a series of novel attacks targeting Bluetooth sessions’ forward and future secrecy.
By compromising a session key, an attacker can impersonate devices and set up man-in-the-middle (MitM) attacks, effectively breaking the future and forward secrecy guarantees of Bluetooth’s pairing and session establishment security mechanisms.
Called BLUFFS (Bluetooth Forward and Future Secrecy), the attacks exploit two novel vulnerabilities in Bluetooth, impacting the unilateral and repeatable session key derivation. Tested on 17 different Bluetooth chips, the attacks have a large-scale impact on the ecosystem, the academic researcher says.
“As the attacks affect Bluetooth at the architectural level, they are effective regardless of the victim’s hardware and software details,” Antonioli notes in his research paper.
The BLUFFS attacks enable a hacker to brute-force the session encryption key in real time, which can allow them to conduct live injection attacks on traffic between the targeted devices, according to the Bluetooth Special Interest Group (SIG), which assigned CVE-2023-24023 to the issue.
In addition to detailing the attacks, the researcher has released a low-cost toolkit that relies on seven patches for the manipulation and monitoring of Bluetooth session key derivation.
Antonioli also developed an enhanced key derivation function for Bluetooth that prevents all six attacks and the underlying causes, and which can be integrated into the standard.
The BLUFFS attacks assume the fact that an attacker within Bluetooth range of two victim devices can capture packets in plaintext, knows the victim’s Bluetooth address, can craft packets, and negotiate arbitrary capabilities.
The attack scenario assumes that the adversary is targeting the victim device’s current Bluetooth session, and that they can reuse a weak session key to decrypt both past and future messages (breaking both forward and future secrecy).
According to the researcher, the BLUFFS attacks are rooted in four architectural vulnerabilities related to Bluetooth session establishment, including two novel issues that allow the derivation of the same key across sessions.
The first bug resides in the fact that, in a Central-Peripheral pair, Bluetooth allows the Central to set all session key diversification values, thus allowing an attacker to unilaterally drive key diversification when impersonating a Central.
The second issue, Antonioli says, is that while random numbers are used in key diversification, nonces are not used, meaning that the numbers can be “reused in past, present, and future sessions without violating the standard”.
An attacker who knows a triplet and the corresponding weak session key “can force the victims to derive the same attacker-controlled session key across sessions”, the researcher says.
With all tested chips and devices vulnerable to the newly devised attacks, the “BLUFFS attacks are practical and have a large-scale impact on the Bluetooth ecosystem,” the researcher says.
The Bluetooth SIG was informed about the attack methods in October 2022, and tech giants such as Google, Intel, Apple, Qualcomm and Logitech have also been notified. Several of them have confirmed working on fixes.