Bluetooth pairing flaw exposes devices to BIAS attacks

Bluetooth SIG has been forced to update the core specification after researchers reveal a severe flaw in BR/EDR pairing

Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.

The Bluetooth Special Interest Group (SIG) has been forced to update its specification after academics disclosed the vulnerability in the way connections are made between devices using BR/EDR. This configuration is also known as Bluetooth Classic.

Bluetooth Impersonation Attacks (BIAS) can be triggered after two devices have been paired, with hackers able to exploit the flaw to break security mechanisms and impersonate a device towards the host. This is according to research published by academics.

The flaw lies in the way two devices handle the long-term key that establishes their connection. Such a key is generated when two Bluetooth devices bond for the first time and derive keys for future connections without device owners undergoing the same arduous pairing process.

The BIAS attack was tested on more than 28 unique Bluetooth chips manufactured by a wide range of companies including Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All 30 devices tested by the academics were vulnerable.

Following initial bonding, hackers can fake the identity of previously paired devices and successfully connect without having to know the long-term pairing key that was established. From here, they can access data from a targeted device or take control of one.

BIAS can also be combined with other attacks, such as the Key Negotiation of Bluetooth (KNOB) attack, which was disclosed last year by the same research team. KNOB can be deployed to force participants in a Bluetooth key exchange to use an encryption key with just one byte of entropy, meaning hackers can successfully brute-force the key. From there, they're able to intercept on data being passed between devices.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” said authors Daniele Antonioli, Nils Ole Tippenhauer and Kasper Rasmussen. 

“The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction. The BIAS attacks are at the architectural level of Bluetooth, thus all standard-compliant Bluetooth devices are a potential target.”

Bluetooth SIG, which oversees the Bluetooth standard, said it’s updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication and recommend checks for encryption-types to avoid a downgrade of secure connections. 

These changes will be introduced in a future specification revision, though until that occurs, the organisation has strongly recommended that vendors ensure the reduction of the encryption key length is not permitted. They should also take a number of additional steps to ensure security measures remain robust.

Some vendors may have implemented workarounds for the vulnerability when the researchers privately disclosed their attack in December 2019. As a result, users whose devices haven’t been updated after December 2019 are likely to be vulnerable, and devices updated since may have already been fixed.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Colonial Pipeline reportedly paid $5 million ransom
Security

Colonial Pipeline reportedly paid $5 million ransom

13 May 2021
Apple's AirTag tracker has already been hacked
hacking

Apple's AirTag tracker has already been hacked

10 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021