• Security researchers have discovered new Bluetooth security flaws that allow hackers to impersonate devices and perform man-in-the-middle attacks.

  • The vulnerabilities impact all devices with Bluetooth 4.2 through Bluetooth 5.4, including laptops, PCs, smartphones, tablets, and others.

  • Users can do nothing at the moment to fix the vulnerabilities, and the solution requires device manufacturers to make changes to the security mechanisms used by the technology.

Research paper: https://dl.acm.org/doi/pdf/10.1145/3576915.3623066

Github: https://github.com/francozappa/bluffs

CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-24023

  • andrew_bidlaw
    link
    fedilink
    arrow-up
    10
    ·
    11 months ago

    Specifically, we present the BLUFFS attacks, six novel attacks breaking Bluetooth’s forward and future secrecy by targeting session establishment. The attacks exploit an attack strategy forcing LSC session establishment and manipulating in novel ways its key derivation to reuse a key known to the attacker across sessions. The attacker first installs a weak session key, then spends some time brute-forcing it, and reuses it to impersonate or machine-in-the-middle (MitM) a victim in subsequent sessions (breaking future secrecy) and decrypt data from past sessions (breaking forward secrecy). We decline the attack strategy in six attack scenarios related to the victim’s connection role (i.e., initiator or responder) and Bluetooth security mode (i.e., LSC or SC). Moreover, we detail the four attacks’ root causes, two of which uncover that the standard allows to unilaterally derive session keys without relying on nonces.

    We develop the BLUFFS toolkit to perform and detect the BLUFFS attacks automatically and with low effort. The toolkit provides an attack device module requiring open-source software, a Linux laptop, and a Cypress/Infineon CYW20819 board [ 30]. We provide seven new patches for the board’s closed-source firmware enabling monitoring and tampering with Bluetooth session key derivation. Moreover, our attack checker module cleverly parses and analyzes session establishment messages, aka Link Manager Protocol (LMP) packets from a pcap file to automatically compute session keys and detect our attacks.

    We demonstrate that the BLUFFS attacks are effective on a large scale by evaluating eighteen devices embedding seventeen unique Bluetooth chips. We successfully exploited a broad set of devices (e.g., laptops, smartphones, headsets, and speakers), operating systems (e.g., iOS, Android, Linux, Windows, and proprietary OSes), Bluetooth stacks (e.g., BlueZ, Gabeldorsche, Bluedroid, and proprietary ones), vendors (e.g., Intel, Broadcom, Cypress, Cambridge Silicon Radio, Infineon, Bestechnic, Apple, Murata, Universal Scientific Industrial, Samsung, Dell, Google, Bose, Logitech, Xiaomi, Lenovo, Jaybird, and Qualcomm), and Bluetooth versions (e.g., 5.2, 5.1, 5.0, 4.2, and 4.1).

    The range is impressive but I’m yet to imagine a usecase. How to abuse it for money or intel? Listening to bluetooth headphones, keylogging a wireless board? Emulating said keyboard to get access to more? It sounds like a single-target weapon to me. Can one get it working in a mall, like changing rooms in H&M, to make most phones disclosing their secrets? Then, it’s sure more fucked up. I wonder how many currently used devices won’t ever have this update.

    • XbSuper@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      11 months ago

      Could they possibly intercept a call between a smartwatch and phone, during a gpay or apple pay? This is the biggest concern I have, as I use my watch to pay for everything.

      • andrew_bidlaw
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        Depends on how often they contact each other, I guess. Is phone even needed to do so once you authorized the watch? Can you pay with your phone being anywhere else?

      • arandomthought
        link
        fedilink
        arrow-up
        13
        ·
        11 months ago

        It’s such an apple thing to do. “Alright, you want to turn off Bluetooth, okay. But we think it’s better to have it on, and we know better, so, you know: Tomorrow’s another day.” At that point I don’t own my device, I’m hostage negotiating with it.

        • hemmes@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          11 months ago

          You can goto Settings and turn off Bluetooth completely. It’s one of the first options in Settings.

      • anewbeginning@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        11 months ago

        I have a shortcut setup to turn it off and have the 3 tap on the back gesture to activate it. It’s always off unless I need it.

    • bless@lemmy.worldOP
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      11 months ago

      Haha I like the spirit but that’s not really a fix that’s just avoidance.

    • DogMuffins@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      11 months ago

      Sure mate, do you ever take your car out of the garage or do you just leave it there in case it breaks down on the way to the shops?

      I use Bluetooth devices with my phone all day every day. Car, headphones, watch, laptop, speakers. It’s fine if you don’t, but surely you can recognise that leaving bluetooth on for most people is about functionality rather than mere laziness.

      That said, I’m not at all surprised that a vulnerability exists. Consumer tech just isn’t built to be resilient in that way.

    • squiblet@kbin.social
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      11 months ago

      That would be nice. Personally I have two medical devices that have to be constantly connected to my phone via Bluetooth.

    • Squeak@lemmy.world
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      11 months ago

      That’s like Steve jobs saying ‘you’re holding it wrong’ about the iPhone 4…

    • TimLovesTech (AuDHD)(he/him)@badatbeing.social
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      11 months ago

      That in theory works, if you don’t have to listen to music, use a smartwatch, own a wireless keyboard/mouse/headphones, etc. It’s in everything, and somethings lose all functionality w/out it.

    • ramble81@lemm.ee
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      11 months ago

      Sure, but I’d like to listen to music… no wait, there’s no longer a 3.5mm jack. Okay, I want to get some information or a call in my car… no wait, there are hands free laws where I can’t hold my phone. Okay, let me check my watch for notifications…. no wait, it can’t connect to my phone now.