A team of information security experts spoke about a new attack on the Bluetooth protocol, called BIAS (Bluetooth Impersonation AttackS).
The bug received the identifier CVE-2020-10135 and poses a threat to the classic version of Bluetooth, known as Basic Rate/Enhanced Data Rate, Bluetooth BR/EDR or just Bluetooth Classic.The research team included scientists from the Swiss Federal Institute of Technology in Lausanne (EPFL), the Helmholtz Information Security Center in Germany (CISPA) and experts from Oxford University.
It is worth noting that in the summer of 2019 same people told the world about another Bluetooth vulnerability, KNOB (CVE-2019-9506).
The root of the new BIAS problem is how Bluetooth enabled devices handle the link key, also known as the long-term key. This key is generated when two Bluetooth devices are first time connected (paired). In fact, they “agree” about a long-term key that they will use to obtain session keys in future, in order not to force device owners to go through a lengthy pairing process every time”, – said the team of information security experts.
Researchers explain that they discovered a problem in the authentication process after pairing devices. This bug allows an attacker to impersonate a previously paired device, authenticate and connect to another device without communication key that was previously established between them.
In fact, by carrying out a BIAS attack, an attacker can gain access to another device with Bluetooth Classic support or even take control of it.
Experts tested their attack against a wide range of devices, including smartphones (iPhone, Samsung, Google, Nokia, LG, Motorola), tablets (iPad), laptops (MacBook, HP Lenovo), headphones (Philips, Sennheiser) and single-board computers (Raspberry Pi, Cypress). All verified devices were vulnerable to BIAS.
Since this attack affects almost all Bluetooth-suporting devices, in December 2019 we carried out a responsible disclosure of the problem and brought in the Bluetooth Special Interest Group (Bluetooth SIG), a standardization organization that revises Bluetooth standards, to make sure that means will be created and applied to circumvent vulnerabilities”, — experts say.
Bluetooth SIG experts have already issued their own press release, in which they assure that the basic Bluetooth specification has been updated: attackers will not be able to downgrade the Bluetooth Classic and lower the connection from a secure authentication method to secure legacy, which made the BIAS attack possible.
It is worth noting that, according to experts, if you combine BIAS with the mentioned above KNOB problem, an attacker can violate authentication even on Bluetooth Classic devices operating in strong authentication mode. Overall, for complete security, patches are needed for both problems.
Bluetooth device manufacturers are expected to release firmware updates in the next months to fix the problem. However, the status and availability of these patches is currently unclear even for the representatives of the research group.
Recall also that information security researchers found that Thunderbolt PCs Can Be Hacked In Less Than 5 Minutes.