A new vulnerability in the authentication component of the Bluetooth wireless protocol has been uncovered by a group of researchers. The issue is not relating to a bug but rather the specification itself.
“The Bluetooth standard includes both a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long-term key. Both procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling impersonation attacks during secure connection reestablishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade to the legacy version.”
In essence, Bluetooth allows a connection that was previously established over a secure connection to not remember that this is way it was originally connected so the devices can connect securely. Any device can claim ignorance of a secure connection and ask for a legacy-based non-secure connection/legacy encryption, in order to get a weaker link. This allows the attacker to initiate a master-slave role switch, placing itself into the master role and becoming the authentication initiator, which then allows it to leverage a couple other problems with the specification.
BIAS attacks are the first type of attacks that were successfully able to bypass Bluetooth’s authentication procedures that take place during the establishment of a secure connection, said the research team. The flaws that are exploited in the attacks include lack of integrity protection, encryption, and mutual authentication.
To be clear, this affects all Bluetooth devices from phones, tablets, laptops, headphones to SBC (like the RPi), IoT components, door locks and other. The BIAS attack has been tested against numerous brands and types of Bluetooth devices and all have been vulnerable. To say that this is nothing less than a complete and total collapse of Bluetooth’s secure authentication is putting it mildly.
The Bluetooth SIG (special interest group which writes the BT specification) has however updated the specification to include a fix for this issue and vendors of equipment will (or have already) be releasing patches soon.
As usual, update all your systems!