As one of the classic and familiar connection options, the Bluetooth standard can be found in countless devices today. Due to this widespread use, it is even more important that a Bluetooth connection cannot be compromised.
A new attack technique now takes advantage of previously unknown vulnerabilities, which are listed under the identifier CVE-2023-24023 and at least due to the architecture theoretically a danger of billions of devices.
Eurecom security researcher Daniele Antonioli, who identified the vulnerabilities, calls this type of attack “BLUFFS,” which stands for “Bluetooth Forward and Future Secrecy.” Antonioli presented the results of his investigations at this year’s ACM conference in Copenhagen.
All clear However, it already exists, as the possible attack scenarios are classified as rather unlikely – especially since the responsible Bluetooth Special Interest Group (SIG) has reacted and issued further security recommendations.
»BLUFFS«: Six steps to a cracked connection
According to the Bluetooth SIG, possible targets of the BLUFFS attack include all devices “that support Secure Connections Pairing and Secure Simple Pairing in Bluetooth 4.2 to 5.4”; So to speak, all modern devices of the last few years.
The crux of the attack is the key exchange that occurs when a Bluetooth connection is established between any two devices, each with their own initialization keys. This exchange in turn serves to create a shared session key with which the data is ultimately secured.
However, the session key – also known as a “session key” – can be manipulated by an intermediary. The big problem is that the change is neither prevented nor noticed because the keys are not protected by any authentication process.
An attacker who is within the appropriate range of the Bluetooth devices could change certain parameters of the session key and weaken its security. The key can be “recalculated” from this weakening using the brute force method, thereby decrypting data that has already been transmitted.
At this point it is again Improbability of a possible attack emphasized, because both manipulating the key and the subsequent brute forcing takes a lot of time. A hacker would therefore have to be in the immediate vicinity for a significant amount of time to actually get to your connection.
Back to »BLUFFS«: The subsequent interception of decrypted data packets already provides the first promise of security »Forward Secrecy« cracked by Bluetooth.
Part Two of Cracked Connectivity is the »Future Secrecy«. The cracked session key can be used again for future connections, so that subsequent transmissions can also be read later.
Antonioli himself has already tested the BLUFFS capacities. A total of seventeen different Bluetooth chips were tested for their resistance to the MITM (“Man in the Middle”) attack.
In particular, the LSC protocol (“Legacy Secure Connections”) has proven to be sensitive, allowing us to do this Almost all tested devices were cracked become. The affected hardware includes Soundlink headphones from Bose, the Apple iPhone 13 and a Lenovo Thinkpad X1.
Hackers paralyze an entire game in protest – that’s what’s behind it
BLUFFS is undermined by strict security standards
In the statement from the Bluetooth SIG mentioned at the beginning Recommendations to manufacturers emitted by Bluetooth devices. When exchanging keys, they should ensure that only keys with a length of at least seven bytes are accepted.
always use security mode 4 level 4, should in turn require keys that are at least 16 bytes long. In both cases, sufficient strength would be guaranteed, just like with connected devices that are in »Only secure connections” work.
During his presentation, Antonioli himself made further suggestions for solutions and improvements that would make the generated keys less vulnerable without affecting their compatibility with older standards. However, it is still unclear whether and when these will be implemented.
Now we need your opinion: How often do you establish a Bluetooth connection between devices and do you pay attention to the security of your connection? Or is everything connected via WiFi or cable anyway? Let us know in the comments!