November 29, 2023 at 09:54AM
EURECOM’s Daniele Antonioli uncovered BLUFFS attacks that break Bluetooth’s secrecy by imitating devices and enabling MitM attacks. These exploits affect Bluetooth’s session key derivation across most devices. Antonioli proposed a solution and a toolkit to demonstrate the vulnerabilities, which major tech companies are addressing.
Meeting Takeaways:
1. Professor Daniele Antonioli from EURECOM has demonstrated a series of novel attacks affecting Bluetooth security, specifically targeting the forward and future secrecy of Bluetooth sessions.
2. The newly identified attacks enable an attacker to impersonate devices, establish man-in-the-middle attacks, and compromise session keys. Such attacks break the security assurances provided by Bluetooth during pairing and session initiation.
3. These attacks, termed BLUFFS (Bluetooth Forward and Future Secrecy), exploit two novel vulnerabilities within the Bluetooth protocol that relate to the session key derivation process. These vulnerabilities can be exploited repeatably and unilaterally.
4. The impact of BLUFFS attacks is extensive, impacting at least 17 different Bluetooth chipsets, thus suggesting a wide-scale vulnerability across the Bluetooth technology ecosystem.
5. The BLUFFS attacks are platform-agnostic; they are effective independent of the specific hardware or software implementations of Bluetooth due to their architectural nature.
6. Antonioli’s paper outlines how an attacker could brute-force the session encryption key in real-time, enabling them to conduct live injection attacks on the traffic between targeted devices. The Bluetooth Special Interest Group (SIG) has assigned the identifier CVE-2023-24023 to this issue.
7. Antonioli has developed and released a low-cost toolkit that includes seven patches for analyzing and manipulating Bluetooth session key derivation, allowing the broader research community to test for these vulnerabilities.
8. The researcher has proposed an enhanced key derivation function for Bluetooth, designed to prevent these identified attacks. This function could potentially be integrated into the Bluetooth standard to bolster security.
9. The BLUFFS attacks rely on the attacker’s ability to capture plaintext packets within Bluetooth range, knowing the victim’s Bluetooth address, the ability to craft packets, and negotiate arbitrary capabilities.
10. The attacks undermine both forward and future secrecy by allowing an attacker to decrypt past and future messages using a compromised session key.
11. Four architectural vulnerabilities facilitate the BLUFFS attacks. Two of them are novel issues that permit the derivation of identical session keys across multiple sessions.
12. Affected companies, including major tech players like Google, Intel, Apple, Qualcomm, and Logitech, were informed about these vulnerabilities in October 2022, and several are reportedly working on fixes.
Additional Notes:
– Keep an eye out for information on patches or updates from device manufacturers in response to these vulnerabilities.
– Review and apply the enhanced key derivation function proposed by Antonioli, if applicable, to fortify Bluetooth session key security.
– Be aware of related vulnerabilities and additional research findings in the field of Bluetooth security to maintain up-to-date knowledge of potential threats.