Researchers at École Polytechnique Fédérale de Lausanne have published details about a new Bluetooth vulnerability that affects billions of mobile devices and wearables and allows a clever attacker to pose as a remotely paired device.
The attack method, dubbed Bluetooth Impersonation Attacks or (BIAS), is related to Bluetooth Classic which supports two types of wireless data transfer between devices: Basic Rate (BR) and Enhanced Data Rate (EDR).
The academics explain "the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. [...] Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade."
On a more positive note, for BIAS to be a viable option the attacker must bring their device within range of yours. Then, to perform the technique they have to eavesdrop a BR or EDR connection between your device and another, say your bluetooth headphones, and find out their address.
The vulnerability allows hackers to use that information to impersonate either a slave or a master device, meaning they can both read information from the target device or transmit data to it. And this is achieved by mimicking a previously trusted device and claiming to support only unilateral authentication, which is the lowest level of Bluetooth security.
Researchers note that these attacks can be combined with others such as KNOB, and they can be easily performed using low-cost equipment such as a Raspberry Pi. In their paper, they evaluated a total of 30 unique Bluetooth devices equipped with 28 different Bluetooth chips, which include several models of smartphones from Apple, Nokia, Samsung, and Google, as well as laptops from HP and Lenovo.
In light of the findings, Bluetooth SIG introduced a number of changes to the Bluetooth core specification "to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption."