A spoofing attack 'BIAS' using a new vulnerability hidden in the connection of Bluetooth devices is discovered


by

Aaron Yoo

It was discovered that there is a new vulnerability in the Bluetooth data communication protocol, which is one of the short-range wireless communication standards for digital devices. Researchers have found that a vulnerability called ' Bluetooth Impersonation AttackS (BIAS) ' that exploits this vulnerability affects almost all Bluetooth devices, and attackers have already paired their devices with targeted devices. He points out that it is possible to disguise itself as a Bluetooth device and launch an attack.

BIAS
https://francozappa.github.io/about-bias/

Security Notice | Bluetooth® Technology Website
https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/bias-vulnerability/

Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack | ZDNet
https://www.zdnet.com/article/smartphones-laptops-iot-devices-vulnerable-to-new-bias-bluetooth-attack/

Researchers found a new Bluetooth bug that allows hackers to impersonate a trusted device-TechSpot
https://www.techspot.com/news/85288-researchers-found-new-bluetooth-bug-allows-hackers-impersonate.html



Communication using Bluetooth divides the 2.4 GHz band into 79 frequency channels and performs wireless communication with nearby Bluetooth devices while performing frequency hopping that randomly changes the frequency to be used.Bluetooth Basic Rate / Enhanced Data Rate (BR / It is based on the specification of EDR) . BIAS is an attack method that exploits vulnerabilities related to pairing of Bluetooth devices using BR / EDR, and affects almost all Bluetooth devices.

You can see what kind of attack method BIAS is by watching the following movie.

BIAS: Bluetooth Impersonation AttackS-YouTube


The standard Bluetooth protocol uses long-term pairing key ( link key ) -based authentication to protect data communication from malicious persons. The link key is generated the first time two Bluetooth devices pair and is stored on the Bluetooth device itself. When connecting for the second time or later, it is said that using this link key eliminates the lengthy pairing procedure and makes it possible to connect smoothly. However, a team of researchers from Switzerland, the United Kingdom, and Germany has discovered a vulnerability in the second and subsequent connection processes using this link key.



There are two types of devices that make Bluetooth connections: a 'master' that corresponds to a server in a computer network, and a 'slave' that corresponds to a client. BIAS seems to be able to impersonate a master or a slave by not exploiting the link key by exploiting the vulnerability at the time of connection.



For example, suppose you have a slave Bluetooth device called 'Alice' and a master Bluetooth device called 'Bob'. If two Bluetooth devices have been previously paired, subsequent connections will be made using the link key.



The BIAS attacker masquerades as Alice's Bluetooth device, the slave. Bob starts communication while recognizing the attacker as Alice ...



The attacker told the target device that secure authentication is no longer possible and will downgrade the Bluetooth connection to one-way authentication instead of mutual authentication.



Furthermore, if the attacker is a slave, by switching the authenticator of the Bluetooth connection, the attacker will become the master and start Bluetooth authentication.



An attacker masquerading as Alice asks Bob for authentication, which Bob responds to. With one-way authentication, this will complete the Bluetooth connection.



By doing this, the research team explains that even if the attacker who impersonates Alice does not have the link key, it will be possible to perform Bluetooth communication with Bob on the master side. This is BIAS.



BIAS can be executed even if the master side and the slave side are exchanged, and it can target any Bluetooth device. Successful BIAS could allow an attacker to access data on or control the device of the other device.



In order for the attacker to perform BIAS, the attacker's device must be brought within range of the target device and the Bluetooth connection, and the

BD address of the Bluetooth device that has been previously paired with the target device. Must have been obtained.

The research team includes smartphones such as iPhone, Samsung, Google, Nokia, LG, Motorola and iPads, laptop computers such as MacBook and HP Lenovo, Bluetooth headphones such as Philips and Sennheiser, and SoC boards such as Raspberry Pi and Cypress. We tested 30 Bluetooth devices. As a result, it seems that they confirmed that BIAS is valid for both Bluetooth devices.

BIAS can also be used in combination with other vulnerabilities, and a KNOB attack (Key Negotiation Of Bluetooth Attack) that exploits a vulnerability that allows an attacker to minimize the encryption key used to connect devices. ) And so on, the authentication may be broken even for Bluetooth devices running in secure authentication mode.

As of December 2019, the research team notified the Bluetooth Special Interest Group (Bluetooth SIG) , a standardization organization that supervises the development and license of the Bluetooth standard, about the discovered vulnerability. Based on this report, the Bluetooth SIG reported that it updated the Bluetooth core specification, clarified when to switch the role of the certifier, and made changes such as avoiding downgrade of mutual authentication. Bluetooth device vendors plan to roll out firmware updates to fix the problem in the coming months.



in Software,   Hardware,   Video,   Security, Posted by log1h_ik