December 4, 2023 at 08:36AM
New BLUFFS vulnerabilities, detailed in CVE-2023-24023 with a 6.8 CVSS score, compromise Bluetooth Classic’s forward and future secrecy by enabling adversaries to impersonate devices and intercept communications between paired devices. Researchers suggest mitigation by using secure connection modes and sufficient key entropy.
Key Takeaways from the Meeting on Bluetooth Vulnerability (CVE-2023-24023):
1. A new set of vulnerabilities named BLUFFS has been identified in Bluetooth Classic that compromise the forward and future secrecy guarantees of the protocol.
2. These vulnerabilities affect the Bluetooth Core Specification versions 4.2 through 5.4 and are identified under the CVE identifier CVE-2023-24023, with a Common Vulnerability Scoring System (CVSS) score of 6.8.
3. The vulnerabilities were responsibly disclosed in October 2022 and have been researched by EURECOM’s Daniele Antonioli.
4. The key issues enable an adversary-in-the-middle (AitM) to impersonate devices and conduct machine-in-the-middle attacks between connected peers by compromising a single session key.
5. Two new flaws were identified in the session key derivation mechanism, allowing for the same key to be derived across different sessions.
6. Impersonation and brute-forcing of weak session keys can lead to spoofing attacks resulting in unauthorized access to the paired device.
7. The Bluetooth Special Interest Group (SIG) has outlined mitigation strategies, including:
– Rejecting service-level connections with key strengths below 7 octets.
– Operating devices in “Secure Connections Only Mode” for enhanced key strength.
– Pairing devices via “Secure Connections” rather than legacy mode.
8. The ThreatLocker research highlighted a Bluetooth impersonation attack targeting Apple macOS systems by abusing the pairing mechanism to establish a reverse shell via Bluetooth connection.
9. Implementations that adhere to Bluetooth’s recommended practices could limit the attack’s impact, such as by ensuring sufficient key entropy and refusing access to host resources from a downgraded session.
10. Users are encouraged to follow further updates and content on the matter from the news outlet’s Twitter and LinkedIn profiles.