BIAS Bluetooth vulnerability

[German]Security researchers found again a Bluetooth vulnerability: Smartphones, laptops, IoT devices etc. are vulnerable to a new BIAS Bluetooth attack. This would allow an attacker to access any Bluetooth Classic device without knowing a key. In the meantime, however, firmware updates from various Bluetooth chip manufacturers have been released to close the vulnerabilities.

European security researchers from Oxford, England, have uncovered a new vulnerability in the Bluetooth wireless protocol. An attacker can impersonate a previously connected device without knowing the long-term pairing key, thereby gaining access to any Bluetooth Classic device.

NEW: Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack

An attacker can pose as a previously bonded device without knowing the long-term pairing key and access any Bluetooth Classic devicehttps://t.co/1YOJlsgrxz pic.twitter.com/KUK5V6LWXC

— Catalin Cimpanu (@campuscodi) May 18, 2020

The vulnerability codenamed BIAS (Bluetooth Impersonation AttackS) affects the classic version of the Bluetooth protocol, also known as Basic Rate / Enhanced Data Rate, Bluetooth BR/EDR or simply Bluetooth Classic. The protocol is widely used to connect modern devices such as smartphones, tablets, laptops and intelligent IoT devices. The BIAS attack works against Bluetooth devices and firmware from Apple, Broadcom, Cypress, Intel, Samsung and others.

Flaws within the authentication process

The point of attack are flaws in the authentication process of the classic Bluetooth protocol, which security researchers Daniele Antonioli, Nils Ole Tippenhauer and Kasper Rasmussen exploit. The whole thing takes place when two adjacent Bluetooth devices are first paired. There, a private key is negotiated as a Long-Term Key between the devices. This key is also valid for future connections (the user should not have to pair the Bluetooth devices every time via the intended procedure).

As the researchers describe in this PDF document, there is a way to use the Long-Term Key to give Bluetooth devices the identity of an already paired Bluetooth device from a second device. The second device thus couples quasi-parasitically via Bluetooth without ever having been approved by the user with his Bluetooth device.

(Source: YouTube)

To do this, the attacker must eavesdrop on the first pairing of Bluetooth devices to obtain their parameters, such as device name, Bluetooth addresses, Bluetooth protocol versions and capabilities. The security researchers' video above shows the scheme. Using this data, the foreign Bluetooth device could theoretically be placed under the coupling point.

(Vulnerable BT devices, source: document of the security researchers)

The attack probably works with 28 different Bluetooth chips (from Cypress, Qualcomm, Apple, Intel, Samsung and CSR) that are built into devices from Apple, Lenovo ThinkPad notebooks or pixel smartphones (see the table above that the researchers published in their PDF document). The security researchers have tested 30 different Bluetooth devices from various manufacturers for the vulnerabilities. Bluetooth LE do not seem to be affected.

Firmware update helps

The vulnerability was already reported to the Bluetooth SIG (Special Internest Group) and the manufacturers at the end of 2019. The SIG revised the Bluetooth Core specification and the chip manufacturers had the opportunity to adapt the firmware for the Bluetooth chips.

The problem is that this firmware would have to be installed on the devices as an update. The security researchers are writing: All devices that have not received a security update of the firmware since December 2019 are potentially vulnerable. What is currently not clear to me is how exploitable the two vulnerabilities BIAS (CVE-2020-10135) and KNOB (CVE-2019-9506) are in practice.

Further details can be found on this website of the security researchers. There is also a FAQ which answers user questions. ZDNet also has this article on the topic.