Tuesday, June 18, 2024

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward and Future Secrecy) attacks. These attacks could enable threat actors to impersonate devices or machine-in-the-middle attacks. 

These attacks have been reported to be at the architectural level and don’t depend on the victim’s hardware and software details, such as chip, stack, version, or security mode.

In addition to this, a new toolkit has also been released, which could be used to perform these attacks and check their effectiveness.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

BLUFFS Attacks

According to the reports shared with Cyber Security News, these attacks have been categorized as 

  • A1: Spoofing a LSC Central
  • A2: Spoofing a LSC Peripheral
  • A3: MitM LSC victims
  • A4: Spoofing a SC Central
  • A5: Spoofing a SC Peripheral
  • A6: MitM SC victim
BLUFFS Attacks (Source: EURECOM)
BLUFFS Attacks (Source: EURECOM)

The major root causes were four architectural vulnerabilities in the specification of Bluetooth session establishment. The root causes have been categorized into two, with SK (Session Key) derivation of sessions and other session establishment phases.

Root cause (RC)

RC1 refers to LSC (Legacy Secure Connections) SK diversification being unilateral. RC2 relates to LSC SK diversification not using nonces.

RC3 is associated with LSC SK not being integrity protected, and RC4 refers to no authentication implementation when downgrading SC (Secure Connections) to LSC (Legacy Secure Connections).

According to reports, A1, A2 and A3 are not affected by RC4. However, all of the attacks from A1 to A6 are affected by all the Root Causes (RC1, RC2, RC3, and RC4).

These six BLUFFS attacks were tested on eighteen devices with seventeen different Bluetooth Chips from popular hardware and software vendors in each of them.

These attacks do not require user interaction or compromising of Bluetooth pairing (keys) as they target protocol-level weaknesses in the Bluetooth Standard.

With these attack methods, researchers could compromise a broad set of devices, including laptops, smartphones, headsets, and speakers, with Operating systems like Android, iOS, Linux, Windows, and proprietary OSes.

A complete research paper has been published providing detailed information on these attack techniques, their concepts, and others.

ChipDevice(s)BTvA1A2A3A4A5A6
LSC Victims
Bestechnic BES2300Pixel Buds A-Series5.2
Apple H1AirPods Pro5
Cypress CYW20721Jaybird Vista5
CSR/Qualcomm BC57H687C-GITM-E4Bose SoundLink4.2
Intel Wireless 7265 (rev 59)Thinkpad X1 3rd gen4.2
CSR n/aLogitech BOOM 34.2××
SC Victims
Infineon CYW20819CYW920819EVB-025
Cypress CYW40707Logitech MEGABLAST4.2
Qualcomm Snapdragon 865Mi 10T5.2×××
Apple/USI 339S00761iPhones 12, 135.2×××
Intel AX201Portege X30-C5.2×××
Broadcom BCM4389Pixel 65.2×××
Intel 9460/9560Latitude 54005×××
Qualcomm Snapdragon 835Pixel 25×××
Murata 339S00199iPhone 74.2×××
Qualcomm Snapdragon 821Pixel XL4.2×××
Qualcomm Snapdragon 410Galaxy J54.1×××
Results of Evaluation (Source: EURECOM)

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Website

Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles