Security researchers from three universities in Europe have found multiple weaknesses in the ubiquitous Bluetooth protocol that could allow attackers to impersonate a paired device and establish a secure connection with a victim.
Most standard Bluetooth devices are vulnerable to the issue, according to the researchers, who successfully tested a proof-of-concept attack they developed against 31 Bluetooth devices from major hardware and software vendors. Bluetooth chips from Apple, Intel, Qualcomm, Cypress, Broadcomm, and others are all vulnerable to the attacks. Adversaries can impersonate any Bluetooth-enabled device from smartphones and laptops to IoT devices, the researchers say.
However, because an attacker would need to be physically close to a target and need to know certain information about the target, the likelihood of mass or random drive-by attacks is low, according to some security experts.
The three researchers who discovered the issue are: Daniele Antonioli, from the Swiss Federal Institute of Technology, Lausanne (EPFL); Nils Ole Tippenhauer from the CISPA Helmholtz Center for Information Security in Germany; and Kasper Rasmussen from the University of Oxford's computer science department.
The researchers say Bluetooth impersonation attacks are possible because of vulnerabilities in the standard including the lack of a mandatory mutual authentication mechanism, overly permissive role switching, and inadequate protections against encryption downgrades when two devices are securely paired. "The [issues] are at the architectural level of Bluetooth, thus all standard compliant Bluetooth devices are a potential target," the researchers said in a technical paper.
They described the vulnerabilities as allowing an attacker to essentially insert a rogue device between two paired Bluetooth devices and to assume the identity of either of the two devices. They demonstrated a proof-of-concept attack using a Bluetooth development kit and a Linux laptop.
Antonioli, the lead author of the paper, says that in a nutshell, the vulnerabilities allow attackers to always use the weakest form of authentication provided by Bluetooth, even if the target device supports a stronger authentication mechanism. They are then able to abuse the weaker authentication mechanism so that the attacker does not have to authenticate to the victim. Instead, it is the victim device that always has to authenticate to the attacker: "This combination enables the attacker to impersonate any Bluetooth device without having to authenticate to the victim," Antonioli says.
In order to execute an attack via the authentication weaknesses, an attacker would require both the Bluetooth name and address of the victim device, which can be collected passively, he says. The attacker would also need information on the Bluetooth features and services on the target device, which also can be relatively easily obtained since this information is common for devices of the same model.
Limited Attack Range
An attacker would need to be in Bluetooth range of the victim device, Antonioli says. This can vary depending on the environment and the type of device used by the victim and the attacker. "We have not experimentally tested the maximum range for the [impersonation] attacks," Antonioli says. "But from the numbers in the Bluetooth specification, I can tell that the maximum range might reach 75m (250 feet) outdoors and 40m (131 feet) indoors."
The actions that an attacker would be able to take would depend on the type of device being impersonated. "If the attacker impersonates a laptop to a smartphone and the victim sends a file containing sensitive information from the smartphone to the impersonated laptop, then the attacker gets access to that sensitive file," Antonioli explains.
Similarly, by pairing as a Bluetooth headset, an attacker would be able to eavesdrop on conversations, says Javvad Malik, security awareness advocate at KnowBe4. Or, by pairing as a keyboard, the attacker could send and run commands.
In a real attack scenario "an attacker would use some form of Bluetooth toolkit that can read or inject Bluetooth commands," Malik says. "However, the saving grace for many is that in order to work, the attacker has to be within Bluetooth range."
This significantly limits the types of attacks that can be conducted, and requires the attacker to more or less be physically present. "For most organizations, this reduces the risk and will likely be a lower priority to fix," Malik notes.
The three university researchers reported their findings to the Bluetooth Special Interest Group (SIG) in December. The Bluetooth SIG has committed to publish updates to the Bluetooth specification in line with what the researchers have recommended as countermeasures to the impersonation attacks, Antonioli says. However, updating the specification does not mean that all devices are going to be immediately safe.
"Large-scale protection against the [impersonation] attacks is hard to realize in practice as it requires patching billions of devices," he says. In many instances, devices are either not going to receive a patch or cannot be patched without a device recall, Antonioli points out.