Weak session keys let snoops take a byte out of your Bluetooth traffic

Trending 3 months ago

Multiple Bluetooth chips from above vendors such as Qualcomm, Broadcom, Intel, and Apple are accessible to a brace of aegis flaws that acquiesce a adjacent corrupt to impersonate added accessories and ambush data.

The weaknesses were articular by Daniele Antonioli, an abettor assistant at French alum academy and analysis centermost EURECOM's software and arrangement aegis group. He abundant the advance vectors by which the flaws could be exploited in a paper [PDF] blue-blooded "BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses."

Antonioli's explanation states that the flaws abide in versions of the Bluetooth Core Specification from 2014's adaptation 4.2 to the February 2023 version 5.4.

BLUFFS – for BLUetooth Forward and Future Secrecy – is a set of six audible attacks. Forward clandestineness protects accomplished sessions adjoin key compromise, while approaching clandestineness does the aforementioned affair for approaching sessions.

The attacks force the conception of anemic affair keys, which are acclimated back commutual Bluetooth accessories try to authorize a defended advice channel. Weak keys can be calmly broken, acceptance the eavesdropper to annex sessions and busybody on victims' conversations, data, and activities agitated out over Bluetooth.

"Our attacks accredit accessory clothing and machine-in-the-middle above sessions by alone compromising one affair key," Antonioli explained in his paper. "The attacks accomplishment two atypical vulnerabilities that we bare in the Bluetooth accepted accompanying to unilateral and repeatable affair key derivation."

Antonioli wrote that back the attacks appulse Bluetooth at the architectural level, they assignment behindhand of accouterments and software variations. The BLUFFS attacks are said to accept been activated auspiciously on 18 Bluetooth accessories from Intel, Broadcom, Apple, Google, Microsoft, CSR, Logitech, Infineon, Bose, Dell, and Xiaomi, which use 17 altered chips. And they affect both Bluetooth aegis modes: Secure Connections (SC) and Legacy Secure Connections (LSC).

Devices begin to use chips affected to BLUFFS accommodate smartphones and wireless earbuds from Apple and Google, and a Lenovo ThinkPad.

  • A bedraggled dozen of Bluetooth bugs abuse to reboot, freeze, or drudge your contemporary gizmos from abutting range
  • Billions of Bluetooth accessories agitated by 'BLURtooth' miscreant-in-the-middle bug
  • BrakTooth vulnerabilities put Bluetooth users at accident – and some accessories are activity unpatched
  • Zephyr OS Bluetooth vulnerabilities larboard acute accessories accessible to attack

"The BLUFFS attacks accept a astringent appulse on Bluetooth's aegis and privacy," Antonioli wrote. "They acquiesce decrypting (sensitive) cartage and injecting accustomed letters above sessions by re-using a distinct affair key."

The BLUFFS cipher repo contains Arm cipher patches and an attack-checking apparatus that takes packet abduction (pcap) files and isolates Bluetooth sessions to account affair keys and ascertain BLUFFS attacks. Antonioli has proposed protocol-level countermeasures involving three added Link Manager Protocol packets and three added action calls that vendors can apparatus while apprehension a Bluetooth blueprint afterlight that makes affair enactment added secure.

According to Antonioli, the vulnerability was responsibly appear in October 2022 to the Bluetooth Special Interest Group (SIG), which in about-face accommodating the acknowledgment of CVE-2023-24023 to assorted vendors.

Google has categorized BLUFFS as a high-severity vulnerability – aces of a bug advantage – and is said to be alive on a fix. Intel additionally awarded a advantage but appointed BLUFFS average severity. Apple and Logitech reportedly are acquainted of the affair and alive on fixes, while Qualcomm hasn't yet accustomed the researchers' disclosure.

The Bluetooth SIG, which oversees the short-range wireless specification, has issued a aegis notice about the vulnerability. The notification advises those implementing Bluetooth to configure their systems to adios access with anemic keys. ®