Weak session keys let snoops take a byte out of your Bluetooth traffic

Weak session keys let snoops take a byte out of your Bluetooth traffic

November 30, 2023 at 02:40AM

Various Bluetooth chips from companies including Qualcomm, Broadcom, Intel, and Apple are susceptible to two security flaws discovered by researcher Daniele Antonioli, allowing unauthorized device impersonation and data interception. These vulnerabilities, present in Bluetooth standards since 2014, affect multiple devices and both Bluetooth security modes. Work is underway on fixes following responsible disclosure and severity assessments by affected vendors.

Meeting Takeaways:

1. Security Flaws Identified: Bluetooth chips from various vendors, including Qualcomm, Broadcom, Intel, and Apple, have two critical security vulnerabilities that allow unauthorized access and data interception.

2. Research and Discovery: Daniele Antonioli of EURECOM identified the security flaws and published a paper detailing the vulnerabilities and attack methods.

3. Vulnerable Bluetooth Versions: The flaws are present in Bluetooth Core Specifications ranging from version 4.2 (2014) to version 5.4 (February 2023).

4. Nature of Attacks: Named BLUFFS (Bluetooth Forward and Future Secrecy), they constitute six different attacks compromising the secrecy of past and future Bluetooth sessions by using weak session keys.

5. Impact of Attacks: Attackers can impersonate devices, hijack sessions, and snoop on data and activities, exploiting two new vulnerabilities in session key derivation.

6. Extensive Device Vulnerability: Successful tests on 18 devices utilizing chips from Intel, Broadcom, Apple, Google, Microsoft, CSR, Logitech, Infineon, Bose, Dell, and Xiaomi show cross-hardware vulnerability.

7. Affected Devices: Devices at risk include Apple and Google smartphones, wireless earbuds, and Lenovo ThinkPads.

8. Severity of BLUFFS Attacks: They significantly threaten Bluetooth’s security and privacy, enabling decryption and injection of authenticated messages using a compromised single session key.

9. Available Resources: The BLUFFS code repository offers patches and an attack-detection tool for identifying the attacks.

10. Proposed Countermeasures: Antonioli suggests additions to the Bluetooth protocol to improve session establishment security.

11. Disclosure and Response: The vulnerability’s October 2022 disclosure was managed by the Bluetooth SIG. Google and Intel have recognized the issue with varying severity levels. Apple and Logitech are working on fixes; Qualcomm hasn’t responded yet.

12. Official Guidance and Fixes: The Bluetooth SIG has issued a security notice, and vendors are advised to configure systems to refuse connections using weak keys. Google is actively working on a fix.

Action Items:
– Monitor communications from Bluetooth SIG for updated security guidance.
– Ensure that any affected devices within the company are using the latest patches or are configured according to Bluetooth SIG’s notice.
– Stay informed about the vendors’ fix releases and plan for necessary updates.
РReview the BLUFFS code repository for potential application to the company’s Bluetooth systems.

Full Article