New Bluetooth Flaws Let Attackers Impersonate Legitimate Devices

Adversaries could exploit newly discovered security weaknesses
in Bluetooth Core and Mesh Profile Specifications to masquerade as
legitimate devices and carry out man-in-the-middle (MitM)
attacks.

“Devices supporting the Bluetooth Core^[1]
and Mesh Specifications^[2]
are vulnerable to impersonation attacks and AuthValue disclosure
that could allow an attacker to impersonate a legitimate device
during pairing,” the Carnegie Mellon CERT Coordination Center
said^[3]
in an advisory published Monday.

The two Bluetooth specifications define the standard that allows
for many-to-many communication over Bluetooth to facilitate data
transfer between devices in an ad-hoc network.

The Bluetooth Impersonation AttackS, aka BIAS, enable a
malicious actor to establish a secure connection with a victim,
without having to know and authenticate the long-term key shared
between the victims, thus effectively bypassing Bluetooth’s
authentication mechanism.

“The BIAS attacks are the first uncovering issues related to
Bluetooth’s secure connection establishment authentication
procedures, adversarial role switches, and Secure Connections
downgrades,” the researchers said^[4]. “The BIAS attacks are
stealthy, as Bluetooth secure connection establishment does not
require user interaction.”

“To confirm that the BIAS attacks are practical, we successfully
conduct them against 31 Bluetooth devices (28 unique Bluetooth
chips) from major hardware and software vendors, implementing all
the major Bluetooth versions, including Apple, Qualcomm, Intel,
Cypress, Broadcom, Samsung, and CSR.”

In addition, four separate flaws have been uncovered in
Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1. A
summary of the flaws is as follows –

• CVE-2020-26555^[5] – Impersonation in
  Bluetooth legacy BR/EDR pin-pairing protocol (Core Specification
  1.0B through 5.2)
• CVE-2020-26558^[6] – Impersonation in the
  Passkey entry protocol during Bluetooth LE and BR/EDR secure
  pairing (Core Specification 2.1 through 5.2)
• N/A – Authentication of the Bluetooth LE
  legacy pairing protocol (Core Specification 4.0 through 5.2)
• CVE-2020-26556^[7] – Malleable commitment
  in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and
  1.0.1)
• CVE-2020-26557^[8] – Predictable AuthValue
  in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and
  1.0.1)
• CVE-2020-26559^[9] – Bluetooth Mesh Profile
  AuthValue leak (Mesh profile 1.0 and 1.0.1)
• CVE-2020-26560^[10] – Impersonation attack
  in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and
  1.0.1)

“Our attacks work even when the victims are using Bluetooth’s
strongest security modes, e.g., SSP and Secure Connections. Our
attacks target the standardized Bluetooth authentication procedure,
and are therefore effective against any standard compliant
Bluetooth device,” the researchers said.

The Android Open Source Project (AOSP), Cisco, Cradlepoint,
Intel, Microchip Technology, and Red Hat are among the identified
vendors with products impacted by these security flaws. AOSP,
Cisco, and Microchip Technology said they are currently working to
mitigate the issues.

The Bluetooth Special Interest Group (SIG), the organization
that oversees the development of Bluetooth standards, has also
issued security notices^[11] for each of the six
flaws. Bluetooth users are recommended to install the latest
recommended updates from device and operating system manufacturers
as and when they are available.