"New Bluetooth Vulnerabilities Could Expose Many Devices to Impersonation Attacks"
Researchers with France's national cybersecurity agency ANSSI have identified seven new flaws that affect devices supporting Bluetooth Core and Mesh specifications. These specifications define technical and policy requirements for devices that operate over Bluetooth connections. According to an advisory recently published by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, a malicious actor can exploit the vulnerabilities to impersonate legitimate devices as long as they are within Bluetooth range. Organizations whose products have been confirmed to be affected by the vulnerabilities identified by ANSSI include Cisco, Intel, Android Open-Source Project (AOSP), Cradlepoint, Microchip Technology, and Red Hat. Two dozen vendors appear to have confirmed that their products are not impacted by the flaws. There are 200 other vendors whose products could be vulnerable but still hold an "unknown" status in CERT/CC's advisory. The Android mobile operating system is affected by three of the vulnerabilities, but the upcoming updates will address only two of them. According to AOSP, the third vulnerability impacting the Android OS has a negligible security impact. Those vendors who have confirmed the vulnerabilities say their products appear to be impacted mostly by CVE-2020-26555 and CVE-2020-26558, which are both described as impersonation issues. The exploitation of CVE-2020-26555 requires the attacker to be able to identify the Bluetooth Device Address of the vulnerable device before they can execute the attack. If the attack is successful, the malicious actor can complete pairing with a known link key, encrypt communications with the vulnerable device, and access profiles allowed by a paired or bonded remote device that supports Legacy Pairing. This article continues to discuss the potential exploitation and impact of the new Bluetooth vulnerabilities.