BLUFFS Vulnerability Leaves Bluetooth Devices Open to Attack, Says Researcher Daniele Antonioli

Security researcher and assistant professor at France's EURECOM Daniele Antonioli has detailed a pair of vulnerabilities in the Bluetooth standard which, he says, can lead to man-in-the-middle attacks and data decryption capabilities which persist across sessions: Bluetooth Forward and Future Secrecy, or BLUFFS, attacks.

"We present six novel attacks, defined as the BLUFFS attacks, breaking Bluetooth sessions’ forward and future secrecy," Antonioli explains in his paper detailing the vulnerabilities. "Our attacks enable device impersonation and machine-in- the-middle across sessions by only compromising one session key. The attacks exploit two novel vulnerabilities that we uncover in the Bluetooth standard related to unilateral and repeatable session key derivation."

The six demonstrated BLUFFS attacks exploit two key vulnerabilities, which Antonioli claims are inherent to the Bluetooth standard itself and applicable to devices from any vendor. During an attack, the target Bluetooth device is fooled into reusing a weak session key known to the attacker across multiple sessions — and when it does, the attacker can impersonate a device or decrypt captured traffic.

As the vulnerabilities are in the standard themselves, they have a broad impact: Antonioli found that devices from multiple vendors could be exploited, demonstrating the weakness in 18 devices using 17 unique Bluetooth chips. It's also remonstrated across multiple versions of the Bluetooth standard, from Bluetooth 5.2 back to Bluetooth 4.1.

This isn't the first time Antonioli has uncovered security issues in the Bluetooth standard: back in May 2020 he was first author on a paper detailing the Bluetooth Impersonation Attacks, or BIAS, vulnerabilities, which — like BLUFFS — allowed for attackers to bypass key-pairing authentication to impersonate any Bluetooth device.

The solution, Antonioli claims, needs to be implemented in the Bluetooth standard itself: the use of a new session key derivation function, designed to block BLUFFS attacks yet operate in a manner backwards-compatible with the billions of Bluetooth devices already in the wild. The vulnerabilities and a suggested key derivation function were communicated privately the the Bluetooth Special Interest Group (SIG) in October last year, Antonioli says, and several vendors including Apple, Google, Intel, and Logitech have confirmed they are working on fixes for their own products.

"For this attack to be successful," the Bluetooth SIG claims of BLUFFS, "an attacking device needs to be within wireless range of two vulnerable Bluetooth devices initiating an encryption procedure using a link key obtained using BR/EDR Secure Connections pairing procedures. Implementations are advised to reject service-level connections on an encrypted baseband link with key strengths below seven octets.

"For implementations capable of always using Security Mode 4 Level 4, implementations should reject service-level connections on an encrypted baseband link with a key strength below 16 octets. Having both devices operating in Secure Connections Only Mode will also ensure sufficient key strength."

The full paper on the BLUFFS vulnerabilities is available under open-access terms on Daniele Antonioli's website; a supporting toolkit, which includes a vulnerability checker, has been released on GitHub under the permissive MIT license.