Bluetooth Impersonation AttackS (BIAS): New Vulnerabilities

There is no vulnerability- free wireless specification , not WiFi or Bluetooth. Bluetooth is one of the most used, and also one of the most vulnerable in recent years. Now, a new series of vulnerabilities have been discovered that allow anyone to impersonate you.

Discovered by researchers at the Agence nationale de la sécurité des systèmes d’information (ANSSI) , these vulnerabilities are present in the Bluetooth Core and Bluetooth Mesh Profile specifications, where an attacker can carry out man-in-the-middle attacks. (MitM) . With them, in the pairing process, an attacker can impersonate another device to finally make the connection. The two specifications affected are the ones that define how two devices connect to each other.

Bluetooth Impersonation AttackS (BIAS)

BIAS: hackers posing as devices

The attack has been dubbed Bluetooth Impersonation AttackS , or BIAS , and basically bypasses all the protection mechanisms that Bluetooth has, since the connection between the attacker and the user is made in the eyes of the user as if it were with a normal device, but it remains long-lasting as long as Bluetooth is active on the target device.

The serious thing about this case is that all the Bluetooth specifications available on the market are affected, from the first 1.0B to the 5.2 , which is the most current and safest, with various improved protection mechanisms compared to the first versions of the standard.

This is the first time that vulnerabilities have been discovered in the Bluetooth authentication process between devices. To verify this, the researchers used 31 devices with Bluetooth connectivity, 28 of which had different chips, using hardware and software from the main manufacturers in the market, such as Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung and CSR . In all of them it worked.

The complete list of vulnerabilities is as follows:

  • CVE-2020-26559 : Bluetooth Mesh Profile AuthValue leak
  • CVE-2020-26556 : Malleable commitment in Bluetooth Mesh Profile provisioning
  • CVE-2020-26557 : Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITM
  • CVE-2020-26560 : Impersonation attack in Bluetooth Mesh Profile provisioning
  • CVE-2020-26555 : Impersonation in the BR / EDR pin-pairing protocol
  • N / A : Authentication of the Bluetooth LE legacy-pairing protocol
  • CVE-2020-26558 : Impersonation in the Passkey entry protocol

Manufacturers are already updating

The Bluetooth SIG itself has publicly communicated these vulnerabilities and their solutions to the main companies in the market, and is working with them to implement the necessary patches as quickly as possible. Among the first software vendors and developers to fix the vulnerabilities are the Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology, and Cradlepoint .

In Android, this vulnerability has been classified as “high severity”, and will be patched in the next security patch of June 2021, which will be released in the next few days. Therefore, all devices that do not receive this and subsequent patches will have Bluetooth connectivity vulnerable to these attacks, demonstrating the importance of security updates .