A wild Bluetooth-vulnerability appears!

[WereCatf]

Summary

A new Bluetooth-vulnerability has been found, dubbed the BLURtooth, with so far no known way of patching it up. Researchers from The Bluetooth Special Interest Group reported the vulnerability, while it was confirmed by another group out of Carnegie Mellon. According to the researchers, the protocols that both Android and iOS follow when linking up to another Bluetooth-powered device - like, say, a pair of speakers - can be effectively hijacked to give an attacker access to any bluetooth-powered app or service on the phone.

 

Quotes

Quote

Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University have independently identified vulnerabilities related to Cross-Transport Key Derivation (CTKD) in implementations supporting pairing and encryption with both Bluetooth BR/EDR and LE in Bluetooth Specifications 4.2 through 5.0. The researches identified that CTKD, when implemented to older versions of the specification, may permit escalation of access between the two transports with non-authenticated encryption keys replacing authenticated keys or weaker encryption keys replacing stronger encryption keys.

 

The researchers also identified that CTKD may permit a remote paired device to access some LE services if BR/EDR access is achieved or BR/EDR profiles if LE access is achieved. As this is the intended use of CTKD, these cross-transport procedures are not being considered vulnerabilities by the SIG.

 

For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing. If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur. This may permit a Man In The Middle (MITM) attack between devices previously bonded using authenticated pairing when those peer devices are both vulnerable.

 

My thoughts

Given the short range of Bluetooth, this doesn't seem to be a particularly noteworthy thing for your average consumer, but if you could e.g. hide a small, automated device next to a Bluetooth-operated lock or similar security-/authentication-installation, you could gain access to plenty of things you are not supposed to. On the other hand, this might even be beneficial to the hacker-minded ones amongst us, giving people a way of unlocking functionality in locked-down appliances, or to allow one to write 3rd-party software for such, without having to rely on manufacturers' - often rather poor - software.

 

Sources

https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/

[Drama Lama]

*Laughs in headphone jack*

[Athan Immortal]

1 hour ago, WereCatf said:

Given the short range of Bluetooth, this doesn't seem to be a particularly noteworthy thing for your average consumer,

I'm not as sure. Think about a commuter train or subway for example. How many people take out their phone and pair some Bluetooth headphones.

 

Someone could ride the train for a few hours and hack several phones with a perfectly legitimate reason for being there in close proximity.

 

I guess it really depends what they can do with whatever access this vulnerability gives them.

 

Written from my Nokia 8 with Bluetooth turned off and a headphone jack.

[Mark Kaine]

So, uh, how is that different to all the other bt vulnerabilities ? (pretty sure I keep reading it's really easy to crack anyhow)

[WereCatf]

1 hour ago, Mark Kaine said:

So, uh, how is that different to all the other bt vulnerabilities ? (pretty sure I keep reading it's really easy to crack anyhow)

Sure, this is just one more onto the giant pile that already exists. Doesn't make this vulnerability irrelevant, though, and since this works with protocol-versions 4.2 and 5.0, that's pretty recent devices.