BIAS Attack Allows for Authentication Impersonation of Any Bluetooth Classic Client or Host Device
Flaws in the underlying specification mean a cross-vendor method of impersonating any Bluetooth device or host is now public.
Security researchers at the Ecole Polytechnique Fédérale de Lausanne (EPFL), the CISPA Helmholtz Centre for Information Security, and the University of Oxford have warned of a security vulnerability in the core Bluetooth specification, enabling devices using the Bluetooth Classic protocol to fall victim to an impersonation attack dubbed BIAS.
"The Bluetooth standard provides authentication mechanisms based on a long term pairing key, which are designed to protect against impersonation attacks," the researchers explain of their findings. "The BIAS attacks from our new paper demonstrate that those mechanisms are broken, and that an attacker can exploit them to impersonate any Bluetooth master or slave device."
"Bluetooth communications might contain private and/or sensitive data, and the Bluetooth standard provides security features to protect against someone who wants to eavesdrop and/or manipulate your information. We found and exploited a severe vulnerability in the Bluetooth BR/EDR specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker can impersonate a device towards the host after both have previously been successfully paired in absence of the attacker."
The vulnerability is separate to, but similar to, the earlier Key Negotiation of Bluetooth (KNOB) attack — first announced publicly last year. The two can be used hand-in-hand, and as both attack the underlying Bluetooth specification are not vendor-dependent: The team tested 30 different devices based on 28 different Bluetooth chips, and all proved vulnerable.
"After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers note. "If your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed."
More information can be found on the BIAS website.