New research at the École Polytechnique Fédérale de Lausanne (EPFL) has brought up some worrying news. According to an official statement, experts described a new security vulnerability for devices that have support for the Bluetooth Classic protocol—which is basically every mobile device.
The vulnerability, named as BIAS (Bluetooth Impersonation AttackS), requires a malicious party (or their device) to be within close range of a victim’s device. This can result in perpetrators accessing and controlling victims’ devices.
But the issue isn’t limited to smartphones. While smartphones from major manufacturers like Apple, Samsung, Google, Nokia, and Motorola were tested, the report also states that tablets, laptops, headphones, and even SoC boards like the Raspberry Pi are at risk.
How does BIAS work?
The BIAS vulnerability works by taking advantage of a bug in the authentication process between devices. When Bluetooth-enabled devices communicate for the first time, a long-term key is generated. This key is then used for any subsequent interactions between the devices, which allows users to skip the cumbersome pairing process again.
During the authentication process, researchers say that attacking devices can spoof the address of a previously-paired device. Despite the lack of the long-term key, the connection is then completed. Once the attack is successful, perpetrators can then access, and even take control of victims’ devices.
According to an official statement on Bluetooth.com:
“For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker. For devices supporting Secure Connections mode, the attacker claims to be the previously paired remote device but with no support for Secure Connections.”
How to protect yourself
The Bluetooth Special Interest Group (SIG) is in the process of updating protocols so that authentication is required on both sides, even with legacy authentications. Checks will also be implemented to avoid dangerous encyrption downgrades—however, these changes will only be available in the future.
In the meantime, the group has advised vendors to implement several changes to protect users against BIAS:
“Bluetooth SIG is strongly recommending that vendors ensure that reduction of the encryption key length below 7 octets is not permitted, that hosts initiate mutual authentication when performing legacy authentication, that hosts support Secure Connections Only mode when this is possible, and that the Bluetooth authentication not be used to independently signal a change in device trust without first requiring the establishment of an encrypted link.”
For now, it’s advisable to be careful when receiving Bluetooth requests from devices that claim to be previously trusted. Be sure to only authenticate and communicate with trusted Bluetooth devices that you know to be genuine.