BIAS: Bluetooth Impersonation
AttackS
BIAS attack pdf
TL;DR: The Bluetooth standard provides authentication mechanisms based on a long
term pairing key, which are designed to protect against impersonation attacks.
The BIAS attacks from our new paper demonstrate that those mechanisms are broken,
and that an attacker can exploit them to impersonate any Bluetooth master or
slave device. Our attacks are standard-compliant, and can be combined with other
attacks, including the KNOB attack. In the paper, we also describe a low cost
implementation of the attacks and our evaluation results on 30 unique Bluetooth
devices using 28 unique Bluetooth chips.
Details
Bluetooth Classic (also called Bluetooth BR/EDR) is a wireless communication
protocol commonly used between low power devices to transfer data, e.g., between
a wireless headset and a phone, or between two laptops. Bluetooth communications
might contain private and/or sensitive data, and the Bluetooth standard provides
security features to protect against someone who wants to eavesdrop and/or
manipulate your information. We found and exploited a severe vulnerability in
the Bluetooth BR/EDR specification that allows an attacker to break the security
mechanisms of Bluetooth for any standard-compliant device. As a result, an
attacker can impersonate a device towards the host after both have previously
been successfully paired in absence of the attacker.
We call our attack Bluetooth Impersonation AttackS (BIAS).
Because this attack affects basically all devices that “speak Bluetooth”, we
performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth
SIG) - the standards organisation that oversees the development of Bluetooth
standards - in December 2019 to ensure that workarounds could be put in place.
Are My Devices Vulnerable?
The BIAS attack is possible due to flaws in the Bluetooth specification. As
such, any standard-compliant Bluetooth device can be expected to be vulnerable.
We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking
30 different devices). At the time of writing, we were able to test chips from
Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested
were vulnerable to the BIAS attack.
After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.