Wireless is becoming increasingly popular – thanks to Bluetooth, a radio technology for data exchange between devices over short distances. Almost every accessory as well as various end devices from loudspeakers to vehicles use this communication technology worldwide.
Bluetooth is now also used for many other functions when there is a direct connection between subsystems, for example when unlocking doors in vehicles or in the smart home. Bluetooth also plays an important role in the contact tracing apps in conjunction with Covid-19 for detecting other devices in the immediate proximity.
Tests show serious weaknesses in all current protocol versions
Three security researchers have examined the existing authentication methods of the Bluetooth protocol in more detail. In several attempts, they were able to bypass essential security devices and impersonate a fake Bluetooth device. The overall findings of the security vulnerabilities found were called “Bluetooth Impersonation Attacks” (BIAS) and were described and published in a detailed study.[1] Devices with different chips of well-known manufacturers are affected – thus almost all Bluetooth capable components worldwide.
Incorrect key verification allows deception of the remote terminal
The discovered problems could be proven independently from the protocol version. Thus, in addition to the older versions 4.x, the current standard 5 is also affected. Specifically, this concerns faulty checks of the exchanged security keys during the so-called pairing process. Among other things, this key is used to ensure that existing connections cannot be taken over by other devices. However, by swapping the primary and secondary roles, this actually secret key could be subsequently extracted from existing Bluetooth connections. This allows an actually foreign device to subsequently establish an existing connection without valid pairing.
Various attack scenarios are imaginable – direct access to the connection is necessary
Strictly speaking, only the actual linking or pairing process of the Bluetooth connection is affected; further communication between the end systems is not affected directly. Nevertheless, there are some, at first purely theoretical, possibilities for exploiting the vulnerability. The attacker can communicate directly with the device on site and have the correct partner basic information.
particularly interesting. However, Bluetooth connections are different, through which critical controls are as possible, such as locking systems. If the underlying protocols do not perform advanced checks, they could be tricked or checked for further vulnerabilities to gain unauthorized access. Such a scenario would be conceivable for smart home systems. A combination with other Bluetooth bugs is also possible to negatively influence other connections and systems.[2]
BIAS gap known since 2019, however no solution in sight
The security researchers have already reported their findings to the Bluetooth Special Interest Group in 2019. However, the entire protocol stack is fully affected, so that no solution to the problem seems to be in sight yet. It is therefore important to remember that connections via Bluetooth can pose a certain security risk for critical control and communication functions if they only rely on successful authentication of the existing Bluetooth connection and do not perform any further checks. The implementation of further security checks by the manufacturers makes it more difficult to exploit the gap.
[1] https://francozappa.github.io/about-bias/publication/antonioli-20-bias/antonioli-20-bias.pdf
[2] https://threatpost.com/bluetooth-bugs-impersonation-devices/155886/