Bluetooth devices supporting BR/EDR are vulnerable to impersonation attacks (27th May 2020)

Description

Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) have identified a security vulnerability related to pairing in Bluetooth BR/EDR connections.

Summary

Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) Core Configurations are used for low-power short-range communications. To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key.

How does the Vulnerability work?

An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. The BIAS attack could be combined with the Key Negotiation of Bluetooth (KNOB) attack to "impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection, and brute force the session key". An attacker could initiate a KNOB attack on encryption key strength without intervening in an ongoing pairing procedure through an injection attack. If the accompanying KNOB attack is successful, an attacker may gain full access as the remote paired device. If the KNOB attack is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.

The Guyana National CIRT recommends users and administrators to review the update and apply it where necessary.

References

CERT/CC Vulnerability Note VU#534195. (n.d.). Retrieved May 27, 2020, from https://kb.cert.org/vuls/id/534195

CERT/CC Vulnerability Note VU#647177. (n.d.). Retrieved May 27, 2020, from https://kb.cert.org/vuls/id/647177

Security Notice. (n.d.). Retrieved May 27, 2020, from https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/bias-vulnerability/