A team of security researchers identified a new type of attack that endangers Bluetooth devices. The vulnerabilities are located in Bluetooth Core and Mesh Profile Specifications, and could help attackers conceal their endeavours as legitimate devices to perform man-in-the-middle attacks.
BIAS, or Bluetooth Impersonation AttackS
Called BIAS, or Bluetooth Impersonation AttackS, the vulnerabilities were discovered by Daniele Antonioli School of Computer and Communication Sciences EPFL, Nils Ole Tippenhauer CISPA Helmholtz Center for Information Security, and Kasper Rasmussen Department of Computer Science University of Oxford.
“Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device. We refer to our attacks as Bluetooth Impersonation Attacks (BIAS),” the researchers said in their report.
“Our proof of concept implementation leverages a Bluetooth development kit to send the required messages, however any device with full access to the Bluetooth firmware and a Bluetooth baseband transceiver can perform the BIAS attacks,” the report clarified.
How did the research team create its proof of concept?
To confirm that the BIAS weaknesses are a real threat, the researchers deployed them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.
It is also noteworthy that four separate vulnerabilities were unearthed in the Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1. The total of vulnerabilities is six: CVE-2020-26555, CVE-2020-26558, CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, and CVE-2020-26560.
“Our attacks work even when the victims are using Bluetooth’s strongest security modes, e.g., SSP and Secure Connections. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device,” the report added.
Vendors Affected by the BIAS Vulnerabilities
The Android Open Source Project, Cisco, Microchip Technology, and Red Hat are among the vendors affected by these new Bluetooth weaknesses. Reportedly, AOSP, Cisco, and Microchip Technology are already working on solutions to mitigate the risks.
In addition, the Bluetooth Special Interest Group (SIG), responsible for the development of Bluetooth standards, has also released security notices. It is advisable for users should install the latest available updates from device and operating system vendors.
Previous BIAS Weaknesses
Last year, researchers reported the CVE-2020-10135 vulnerability, also a version of the BIAS attack, affecting the classic version of the Bluetooth protocol. The vulnerability could allow attackers to exploit a previously bonded remote device to complete the authentication procedure with some paired/bonded devices while not possessing the link key. The vulnerability was related to the Key Negotiation of Bluetooth (KNOB) bug, discovered in 2019.