The attack has been called BIAS (Bias Impersonation AttackS) and is given the CVE-2020-10135 identifier, and it affects the classic version of the Bluetooth protocol. This means that devices, such as smartphones, tablets, laptops, smart IoT devices, relying on Bluetooth Classic are exposed.
Who discovered the vulnerability? Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) identified the flaw, which is related to pairing in Bluetooth BR/EDR connections. The vulnerability allows attackers to exploit a previously bonded remote device to complete the authentication procedure with some paired/bonded devices while not possessing the link key, as explained in the official press release. The vulnerability is related to the Key Negotiation of Bluetooth (KNOB) bug, discovered in 2019:
This may permit an attacker to negotiate a reduced encryption key strength with a device that is still vulnerable to the Key Negotiation of Bluetooth attack disclosed in 2019. If the encryption key length reduction is successful, an attacker may be able to brute force the encryption key and spoof the remote paired device. If the encryption key length reduction is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.
How can the BIAS Bluetooth bug (CVE-2020-10135) be exploited?
The first condition for this bug to be exploited is for the attacking device to be within wireless range of the vulnerable Bluetooth device. The second condition is that the device should have previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker.
“For devices supporting Secure Connections mode, the attacker claims to be the previously paired remote device but with no support for Secure Connections. This will generally permit the attacker to proceed with an attack on legacy authentication unless the device is in Secure Connections Only mode,” the researchers explain.
It should be noted that if the pairing has been completed via the Secure Connections method, the attacker could claim to be the previously paired remote device that does not support secure connections any longer, thus downgrading the authentication security.
This would allow the attacker to perform the BIAS attack against the legacy authentication. This won’t be possible, in case the targeted device is in Secure Connections only mode. If the attacker can either downgrade authentication or istargeting a device that doesn’t support Secure Connections, an attack using a similar method can be carried out – by initiating a master-slave role switch.
This is done to achieve the master role with the purpose of becoming the authentication initiator. In case this attempt is successful, the authentication with the remote device is completed. If the remote device doesn’t mutually authenticate with the attacker in the master role, this will lead to the authentication-complete notification on both devices, despite the attacker not having the link key.
In 2019, the same researchers’ team discovered another dangerous Bluetooth vulnerability, known as the KNOB attack. The issue effectively allowed threat actors to attack targeted devices while at the same time stealing sensitive encryption keys during the connection initiation process.
This could lead to hijacking all traffic and user interactions. All of this represents a tremendous threat to Bluetooth devices. It should be noted that the problem was found to be coming from the protocol standards themselves. The security reports indicate that the issue came from technical specifications created 20 years ago.
Finally, the research indicates that in case an attacker uses BIAS and KNOB bugs in combination, the authentication on Bluetooth Classic devices running in a secure authentication mode can be broken.
This means that Bluetooth devices must receive patches against both the BIAS (CVE-2020-10135) and KNOB (CVE-2019-9506) vulnerabilities to avoid any security risks.