EURECOM research center has discovered vulnerabilities in Bluetooth, which can compromise the confidentiality of Bluetooth sessions and allow hackers to carry out “Man-In-The-Middle” (MITM) attacks. The series of exploits has been named Bluffs (Bluetooth Forward and Future Secrecy Attacks and Defenses).
These vulnerabilities are associated with two new weaknesses in the Bluetooth standard related to the process of creating session keys for decrypting data. It is important to note that these issues are architectural and affect Bluetooth at a fundamental level, regardless of specific equipment or software.
The vulnerabilities are identified as cve-2023-24023 and impact the core Bluetooth specification from version 4.2 to 5.4. This puts billions of devices at risk, including smartphones, laptops, and other mobile devices.
The Bluffs exploit series represents a collection of attacks aimed at compromising the confidentiality of both current and future Bluetooth sessions. These attacks exploit four vulnerabilities in the process of obtaining a session key. Two of these vulnerabilities allow for obtaining a short and easily predictable session key (SKC), which can be used by the attacker to decrypt previous and future communications.
To carry out a Bluffs attack, the cybercriminal must be within Bluetooth range of two targets exchanging data. The attacker impersonates one of the targets, coordinating the weak session key with the other target. This involves offering the minimum possible value of the key entropy and using a constant session key diversifier.
In a published article, the researchers describe six types of Bluffs attacks that cover various combinations of attacks, including device impersonation and MITM. These attacks work regardless of whether the victims are using Secure Connections (SC) or Legacy Secure Connection (LSC).
Eurecom researchers tested the Bluffs attacks on various devices, including smartphones, headphones, and laptops using Bluetooth versions from 4.1 to 5.2. They found that all devices were vulnerable to at least three out of the six types of Bluffs attacks. The researchers have developed a set of tools on GitHub to demonstrate the effectiveness of Bluffs.
In response to this threat, the researchers propose several improvements:
- Implementation of the Key Function Function (KDF) for LSC connections, which includes mutual exchange of disposable keys and their verification.