Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward and Future Secrecy) attacks. These attacks could enable threat actors to impersonate devices or machine-in-the-middle attacks.Â
These attacks have been reported to be at the architectural level and don’t depend on the victim’s hardware and software details, such as chip, stack, version, or security mode.
In addition to this, a new toolkit has also been released, which could be used to perform these attacks and check their effectiveness.
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
BLUFFS Attacks
According to the reports shared with Cyber Security News, these attacks have been categorized as
- A1: Spoofing a LSC Central
- A2: Spoofing a LSC Peripheral
- A3: MitM LSC victims
- A4: Spoofing a SC Central
- A5: Spoofing a SC Peripheral
- A6: MitM SC victim
The major root causes were four architectural vulnerabilities in the specification of Bluetooth session establishment. The root causes have been categorized into two, with SK (Session Key) derivation of sessions and other session establishment phases.
Root cause (RC)
RC1 refers to LSC (Legacy Secure Connections) SK diversification being unilateral. RC2 relates to LSC SK diversification not using nonces.
RC3 is associated with LSC SK not being integrity protected, and RC4 refers to no authentication implementation when downgrading SC (Secure Connections) to LSC (Legacy Secure Connections).
According to reports, A1, A2 and A3 are not affected by RC4. However, all of the attacks from A1 to A6 are affected by all the Root Causes (RC1, RC2, RC3, and RC4).
These six BLUFFS attacks were tested on eighteen devices with seventeen different Bluetooth Chips from popular hardware and software vendors in each of them.
These attacks do not require user interaction or compromising of Bluetooth pairing (keys) as they target protocol-level weaknesses in the Bluetooth Standard.
With these attack methods, researchers could compromise a broad set of devices, including laptops, smartphones, headsets, and speakers, with Operating systems like Android, iOS, Linux, Windows, and proprietary OSes.
A complete research paper has been published providing detailed information on these attack techniques, their concepts, and others.
| Chip | Device(s) | BTv | A1 | A2 | A3 | A4 | A5 | A6 |
| LSC Victims | ||||||||
| Bestechnic BES2300 | Pixel Buds A-Series | 5.2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Apple H1 | AirPods Pro | 5 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cypress CYW20721 | Jaybird Vista | 5 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CSR/Qualcomm BC57H687C-GITM-E4 | Bose SoundLink | 4.2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Intel Wireless 7265 (rev 59) | Thinkpad X1 3rd gen | 4.2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CSR n/a | Logitech BOOM 3 | 4.2 | ✓ | × | ✓ | ✓ | × | ✓ |
| SC Victims | ||||||||
| Infineon CYW20819 | CYW920819EVB-02 | 5 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cypress CYW40707 | Logitech MEGABLAST | 4.2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Qualcomm Snapdragon 865 | Mi 10T | 5.2 | ✓ | ✓ | ✓ | × | × | × |
| Apple/USI 339S00761 | iPhones 12, 13 | 5.2 | ✓ | ✓ | ✓ | × | × | × |
| Intel AX201 | Portege X30-C | 5.2 | ✓ | ✓ | ✓ | × | × | × |
| Broadcom BCM4389 | Pixel 6 | 5.2 | ✓ | ✓ | ✓ | × | × | × |
| Intel 9460/9560 | Latitude 5400 | 5 | ✓ | ✓ | ✓ | × | × | × |
| Qualcomm Snapdragon 835 | Pixel 2 | 5 | ✓ | ✓ | ✓ | × | × | × |
| Murata 339S00199 | iPhone 7 | 4.2 | ✓ | ✓ | ✓ | × | × | × |
| Qualcomm Snapdragon 821 | Pixel XL | 4.2 | ✓ | ✓ | ✓ | × | × | × |
| Qualcomm Snapdragon 410 | Galaxy J5 | 4.1 | ✓ | ✓ | ✓ | × | × | × |
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
