Researchers found a new Bluetooth bug that allows hackers to impersonate a trusted device


Posts: 764   +12
Staff member

Researchers at École Polytechnique Fédérale de Lausanne have published details about a new Bluetooth vulnerability that affects billions of mobile devices and wearables and allows a clever attacker to pose as a remotely paired device.

The attack method, dubbed Bluetooth Impersonation Attacks or (BIAS), is related to Bluetooth Classic which supports two types of wireless data transfer between devices: Basic Rate (BR) and Enhanced Data Rate (EDR).

The academics explain "the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. [...] Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade."

On a more positive note, for BIAS to be a viable option the attacker must bring their device within range of yours. Then, to perform the technique they have to eavesdrop a BR or EDR connection between your device and another, say your bluetooth headphones, and find out their address.

The vulnerability allows hackers to use that information to impersonate either a slave or a master device, meaning they can both read information from the target device or transmit data to it. And this is achieved by mimicking a previously trusted device and claiming to support only unilateral authentication, which is the lowest level of Bluetooth security.

Researchers note that these attacks can be combined with others such as KNOB, and they can be easily performed using low-cost equipment such as a Raspberry Pi. In their paper, they evaluated a total of 30 unique Bluetooth devices equipped with 28 different Bluetooth chips, which include several models of smartphones from Apple, Nokia, Samsung, and Google, as well as laptops from HP and Lenovo.

In light of the findings, Bluetooth SIG introduced a number of changes to the Bluetooth core specification "to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption."

Permalink to story.



Posts: 113   +60
Seems if people do enough research about most technologies they will find security flaws in plenty of them.


Posts: 5,537   +5,202
Which version of Bluetooth is at least affected? Come-on!

That Italian accent nearly made me want "two piece and sheet on the bed".



Posts: 2,718   +2,052
Who leaves their BT turned on broadcasting? Mine is on all the time, but you wouldn't know it because it isn't out there telling on itself.


Posts: 1,066   +433
Bluetooth is THE BUG. From its very first version till now it was made to enable unauthorized access by certain agencies and entities. The pool of "bugs" (better expression would be "deliberate security holes") in Bluetooth is inexhaustible. You could probably make a bible-size book describing BT bugs (certain entities would call them features).