Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
5/21/2020
09:10 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Most Bluetooth Devices Vulnerable to Impersonation Attacks

Vulnerabilities in the Bluetooth authentication process give attackers a way to insert rogue devices between two securely paired devices, academic researchers find.

Security researchers from three universities in Europe have found multiple weaknesses in the ubiquitous Bluetooth protocol that could allow attackers to impersonate a paired device and establish a secure connection with a victim.

Most standard Bluetooth devices are vulnerable to the issue, according to the researchers, who successfully tested a proof-of-concept attack they developed against 31 Bluetooth devices from major hardware and software vendors. Bluetooth chips from Apple, Intel, Qualcomm, Cypress, Broadcomm, and others are all vulnerable to the attacks. Adversaries can impersonate any Bluetooth-enabled device from smartphones and laptops to IoT devices, the researchers say.

However, because an attacker would need to be physically close to a target and need to know certain information about the target, the likelihood of mass or random drive-by attacks is low, according to some security experts.

The three researchers who discovered the issue are: Daniele Antonioli, from the Swiss Federal Institute of Technology, Lausanne (EPFL); Nils Ole Tippenhauer from the CISPA Helmholtz Center for Information Security in Germany; and Kasper Rasmussen from the University of Oxford's computer science department.

The researchers say Bluetooth impersonation attacks are possible because of vulnerabilities in the standard including the lack of a mandatory mutual authentication mechanism, overly permissive role switching, and inadequate protections against encryption downgrades when two devices are securely paired. "The [issues] are at the architectural level of Bluetooth, thus all standard compliant Bluetooth devices are a potential target," the researchers said in a technical paper.

They described the vulnerabilities as allowing an attacker to essentially insert a rogue device between two paired Bluetooth devices and to assume the identity of either of the two devices. They demonstrated a proof-of-concept attack using a Bluetooth development kit and a Linux laptop.

Antonioli, the lead author of the paper, says that in a nutshell, the vulnerabilities allow attackers to always use the weakest form of authentication provided by Bluetooth, even if the target device supports a stronger authentication mechanism. They are then able to abuse the weaker authentication mechanism so that the attacker does not have to authenticate to the victim. Instead, it is the victim device that always has to authenticate to the attacker: "This combination enables the attacker to impersonate any Bluetooth device without having to authenticate to the victim," Antonioli says.

In order to execute an attack via the authentication weaknesses, an attacker would require both the Bluetooth name and address of the victim device, which can be collected passively, he says. The attacker would also need information on the Bluetooth features and services on the target device, which also can be relatively easily obtained since this information is common for devices of the same model.

Limited Attack Range

An attacker would need to be in Bluetooth range of the victim device, Antonioli says. This can vary depending on the environment and the type of device used by the victim and the attacker. "We have not experimentally tested the maximum range for the [impersonation] attacks," Antonioli says. "But from the numbers in the Bluetooth specification, I can tell that the maximum range might reach 75m (250 feet) outdoors and 40m (131 feet) indoors."

The actions that an attacker would be able to take would depend on the type of device being impersonated. "If the attacker impersonates a laptop to a smartphone and the victim sends a file containing sensitive information from the smartphone to the impersonated laptop, then the attacker gets access to that sensitive file," Antonioli explains.

Similarly, by pairing as a Bluetooth headset, an attacker would be able to eavesdrop on conversations, says Javvad Malik, security awareness advocate at KnowBe4. Or, by pairing as a keyboard, the attacker could send and run commands.

In a real attack scenario "an attacker would use some form of Bluetooth toolkit that can read or inject Bluetooth commands," Malik says. "However, the saving grace for many is that in order to work, the attacker has to be within Bluetooth range."

This significantly limits the types of attacks that can be conducted, and requires the attacker to more or less be physically present. "For most organizations, this reduces the risk and will likely be a lower priority to fix," Malik notes.

The three university researchers reported their findings to the Bluetooth Special Interest Group (SIG) in December. The Bluetooth SIG has committed to publish updates to the Bluetooth specification in line with what the researchers have recommended as countermeasures to the impersonation attacks, Antonioli says. However, updating the specification does not mean that all devices are going to be immediately safe.

"Large-scale protection against the [impersonation] attacks is hard to realize in practice as it requires patching billions of devices," he says. In many instances, devices are either not going to receive a patch or cannot be patched without a device recall, Antonioli points out.

Related Content:

 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.
CVE-2020-29284
PUBLISHED: 2020-12-02
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vul...