“Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable  to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing,” said an advisory from the Carnegie Mellon CERT Coordination Center.

Researchers from Agence nationale de la sécurité des systèmes d’information (ANSSI) disclosed several vulnerabilities in the two Bluetooth specifications used for low-energy and Internet of Things (IoT) devices or and many-to-many device communication for large-scale networks.

A total of six vulnerabilities (CVE-2020-26555 through CVE-2020-26560) were uncovered by the research.

The vulnerabilities are featured in a paper, ‘BlueMirror: Reflections on the Bluetooth Pairing and Provisioning Protocols’, that’s due to be presented by ANSSI researchers Tristan Claverie and José Lopes Esteves at the WOOT conference (May 27, 2021).

Both the Bluetooth Core and Mesh specifications define the technical and policy requirements for devices that want to operate over Bluetooth connections.

An attacker within wireless range of the vulnerable Bluetooth devices could use a specially crafted device to exploit the vulnerabilities. Depending on the vulnerabilities exploited, a successful attack could lead to impersonation attack, AuthValue disclosure or man-in-the-middle attack.

According to the Carnegie Mellon CERT Coordination Center advisory, the Android Open-Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are vendors affected by the security flaws.

A spokesman from Cradlepoint told FutureIoT: “Cradlepoint was notified of the BLE vulnerabilities prior to public disclosure. We have a production release of our NetCloud OS code available (NCOS version 7.21.40) that fixes the cited issues. As a result, we consider this security vulnerability remediated.”

The Bluetooth Impersonation AttackS, aka BIAS, enable a malicious actor to establish a secure connection with a victim, without having to know and authenticate the long-term key shared between the victims, thus effectively bypassing Bluetooth’s authentication mechanism.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the researchers said. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”

“To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.”

Vulnerabilities Identified

The following security flaws have been discovered by the researchers in the Bluetooth Core and Mesh specifications:

1. Impersonation in the Passkey Entry Protocol (CVE-2020-26558)

The Passkey Entry protocol used in Secure Simple Pairing (SSP), Secure Connections (SC), and LE Secure Connections (LESC) of the Bluetooth Core Specification is vulnerable to an impersonation attack that enables an active attacker to impersonate the initiating device without any previous knowledge. This vulnerability could allow an attacker to authenticate to the response victim device and act as a legitimate encrypted device. The attacker cannot pair with the initiating device using this method of attack, which prevents a fully transparent man-in-the-middle attack between the initiator and responder.

2. Impersonation in the Pin Pairing Protocol (CVE-2020-26555)

A successful attack requires the attacking device to be within wireless range of a vulnerable device supporting BR/EDR Legacy Pairing that is Connectable and Bondable. Devices supporting the Bluetooth Core Specification versions 1.0B through 5.2 are affected by this vulnerability. This vulnerability could allow an attacker to complete pairing with a known link key, encrypt communications with the vulnerable device, and access any profiles permitted by a paired or bonded remote device supporting Legacy Pairing.

3. Impersonation in Bluetooth Mesh Provisioning (CVE-2020-26560)

For this attack to be successful, an attacking device needs to be within wireless range of a Mesh Provisioner and either spoof the identity of a device being provisioned over the air or be directly provisioned onto a subnet controlled by the provisioner. The vulnerability could allow an attacker to successfully authenticate without the AuthValue. Once authenticated, the attacker could perform any operation permitted to a node provisioned on the subnet until it is either denied access or a new subnet is formed without the attacking node present.

4. Predictable AuthValue in Bluetooth Mesh Provisioning Leads to MITM (CVE-2020-26557)

The Mesh Provisioning procedure could allow an attacker observing or taking part in the provisioning to brute force the AuthValue if it has a fixed value and authenticate to both the Provisioner and provisioned devices, permitting a MITM attack on a future provisioning attempt with the same AuthValue.

5. Malleable Commitment (CVE-2020-26556)

The authentication protocol is vulnerable if the AuthValue can be identified during the provisioning procedure, even if the AuthValue is selected randomly. If an attacker can identify the AuthValue used before the provisioning procedure times out, it is possible to complete the provisioning operation and obtain a NetKey.

Similar to CVE-2020-26557, identifying the AuthValue generally requires a brute-force search against the provisioning random and provisioning confirmation produced by the Provisioner. This brute-force search for a randomly selected AuthValue, which can require significant resources, must complete before the provisioning procedure times out.

6. AuthValue Leak (CVE-2020-26559)

The Mesh Provisioning procedure could allow an attacker that was provisioned without access to the AuthValue to identify the AuthValue directly without brute-forcing its value and authenticate to the Provisioner and provisioned devices.

Remediation

The researchers advised the companies and users to install latest recommended updates from manufacturers into their Bluetooth devices.

The Bluetooth SIG makes the following recommendations for each vulnerability:

1. Impersonation in the Passkey Entry Protocol

For the attack to succeed the pairing device needs to accept the same public key that it provided to the remote peer as the remote peer’s public key. The Bluetooth SIG recommends that potentially vulnerable implementations restrict the public keys accepted from a remote peer device to disallow a remote peer to present the same public key chosen by the local device, and the pairing procedure should be terminated with a failure status if this occurs.

2. Impersonation in the Pin Pairing Protocol

The Bluetooth SIG recommends that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. They also continue to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing.

3. Impersonation in Bluetooth Mesh Provisioning

The Bluetooth SIG recommends that potentially vulnerable mesh provisioners restrict the authentication procedure and not accept provisioning both random and confirmation numbers from a remote peer that are the same as those selected by the local device.

4. Predictable AuthValue in Bluetooth Mesh Provisioning Leads to MITM

The Bluetooth SIG recommends that mesh implementations enforce a randomly selected AuthValue using all of the available bits, where permitted by the implementation. A large entropy helps ensure that a brute-force of the AuthValue, even a static AuthValue, cannot normally be completed in a reasonable time.

5. Malleable Commitment

The Bluetooth SIG recommends that potentially vulnerable mesh provisioners restrict the authentication procedure and not accept provisioning random and provisioning confirmation numbers from a remote peer that are the same as those selected by the local device.

6. AuthValue Leak

The Bluetooth SIG recommends that potentially vulnerable mesh provisioners use an out-of-band mechanism to exchange the public keys.