SoS Musings - Bluetooth Technology: Vulnerabilities, Attacks, and Possibilities
By grigby1
Bluetooth is a highly useful technology that has revolutionized device interaction. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Bluetooth technology enables communication between devices without the need for cables or wires. It relies on short-range radio frequency, allowing any device equipped with this technology to communicate as long as it remains within the required range. It is an electronics standard, so manufacturers must integrate specific requirements into their electronic devices if they want to include this feature. The technology is often used to facilitate communication between two different types of devices, such as a computer and a wireless keyboard or a wireless headset and a mobile phone. However, Bluetooth technology's cross-platform and multi-device complexity has given rise to many security and privacy issues that call for continued research and development of strategies or solutions.
Researchers at Eurecom developed six attacks collectively dubbed "BLUFFS" that can breach Bluetooth session confidentiality, enabling device impersonation and Man-in-the-Middle (MitM) attacks. BLUFFS attacks exploit two vulnerabilities in the Bluetooth standard that are related to how session keys are derived for decrypting data in exchange. These flaws are architectural rather than hardware or software configuration-specific, affecting Bluetooth at a fundamental level. Given the widespread use of the wireless communication standard and the versions impacted by the exploits, BLUFFS could be used to attack billions of devices, including laptops, smartphones, and other mobile devices. BLUFFS is a series of Bluetooth exploits that aim to break Bluetooth sessions' forward and future secrecy, degrading the confidentiality of past and future communications between devices.
Threat actors could use a critical Bluetooth security flaw to take control of Android, Linux, macOS, and iOS devices. The vulnerability, tracked as CVE-2023-45866, is a case of authentication bypass that allows attackers to connect to devices and inject keystrokes in order to conduct code execution as the victim. According to security researcher Marc Newlin, who disclosed the issue to software vendors, multiple Bluetooth stacks have authentication bypass flaws that enable attackers to connect to a discoverable host without user confirmation as well as inject keystrokes. The attack tricks the target device into thinking it is connected to a Bluetooth keyboard by exploiting an "unauthenticated pairing mechanism" defined in the Bluetooth specification. An adversary in close physical proximity could connect to a vulnerable device and transmit keystrokes to install apps and run arbitrary commands if the flaw is successfully exploited.
Researchers at the Singapore University of Technology and Design (SUTD) detailed a set of 16 security vulnerabilities dubbed "BrakTooth." These vulnerabilities impacted a wide range of Bluetooth Classic (Basic Rate/Enhanced Data Rate) implementations. A paper titled "BrakTooth: Causing Havoc on Bluetooth Link Manager" highlights the vulnerabilities that impacted Bluetooth chipset vendors, including Intel, Texas Instruments, Silicon Labs, and Infineon (Cypress). Microsoft, Asus, HP, and other major laptop vendors, along with major smartphone and tablet vendors such as Samsung, Sony, and Xiaomi, used affected chipsets. The reported vulnerabilities could allow an attacker to shut down a Bluetooth-enabled device remotely. Attacks involving the exploitation of the vulnerabilities can be executed continuously. The most critical vulnerability enables arbitrary code execution in an embedded controller, making it possible for an attacker to remotely execute chosen code in the target device, thus potentially leading to the deletion of data. Besides major laptops, smartphones, and tablets, the vulnerabilities also affected industrial automation products, automotive infotainment systems, and aircraft entertainment systems.
Researchers with France's national cybersecurity agency ANSSI identified flaws that affected devices supporting Bluetooth Core and Mesh specifications. These specifications define technical and policy requirements for devices that operate over Bluetooth connections. According to an advisory published by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University (CMU), a malicious actor can exploit the vulnerabilities to impersonate legitimate devices as long as they are within Bluetooth range. Organizations whose products were confirmed to be affected by the vulnerabilities include Cisco, Intel, the Android Open-Source Project (AOSP), Cradlepoint, and more. The exploitation of one of the vulnerabilities, tracked as CVE-2020-26555, requires the attacker to be able to identify the Bluetooth Device Address of the vulnerable device before they can execute the attack. If the attack is successful, the malicious actor can complete pairing with a known link key, encrypt communications with the vulnerable device, and access profiles allowed by a paired or bonded remote device that supports Legacy Pairing.
Bluetooth devices were found to be vulnerable to a flaw that could allow attackers to track a user's location, putting their privacy at risk. The study behind the vulnerability focuses on Bluetooth Low Energy (BLE), a type of Bluetooth that uses less energy than Bluetooth Classic. Researchers at Ohio State University (OSU) tested over 50 Bluetooth devices and four BLE development boards, as well as created a potential solution to the problem. According to the researchers, an idle BLE device sends out a signal every 20 milliseconds, advertising its MAC address to other nearby devices with which it could connect. The study identified a flaw that could allow attackers to observe how these devices interact with the network and then collect and analyze the data, either passively or actively. They demonstrated that by broadcasting a MAC address to the device's location, an attacker would know that a user is in the area. A captured MAC address could be used in a replay attack, enabling the threat actor to monitor the user's behaviors, track where the user has been in the past, or even determine the user's current location.
Despite the discovery of vulnerabilities associated with Bluetooth, researchers have found a way to prevent phishing attempts on user logins using the technology. To prevent hackers from successfully infiltrating online accounts, Google announced the use of the Bluetooth functionality on users' smartphones to verify the legitimacy of logins. A user can enable two-factor authentication (2FA) on their online accounts, requiring anyone logging in to provide both the correct password and a one-time passcode usually generated on the user's smartphone. However, hackers continue to find new ways to bypass 2FA systems. There have been cases where hackers tried to trick users into revealing their one-time passcode by sending a fake text message from the account provider. In some cases, attackers have sent links to users that directed them to fake websites capable of stealing and reusing login credentials, including a victim's 2FA code. Google's solution requires a user to be physically close to the computer when logging into their online account. To authenticate the sign-in request, the company will use the Bluetooth functionality on the user's smartphone, ensuring the phone is close to the device that the user is logging into. This helps prevent distant attackers from tricking users into approving a sign-in on their browser.
There are multiple ways adversaries can exploit Bluetooth technology flaws to jeopardize the security and privacy of users. The Science of Security (SoS) community is encouraged to continue exploring such vulnerabilities and developing solutions. It is also important to delve into how the technology could also be used to improve security.
To see previous articles, please visit the Science of Security Musings Archive.