Cutting-edge research has exposed a series of innovative attacks challenging Bluetooth Classic’s forward secrecy and future secrecy assurances, leading to potential adversary-in-the-middle (AitM) scenarios between two connected devices.
Termed collectively as BLUFFS, these vulnerabilities impact Bluetooth Core Specification versions 4.2 through 5.4 and have been assigned the identifier CVE-2023-24023, with a CVSS score of 6.8. These vulnerabilities were responsibly disclosed in October 2022.
EURECOM researcher Daniele Antonioli, in a study published last month, revealed that these attacks “facilitate device impersonation and machine-in-the-middle scenarios across sessions by compromising just one session key.”
This exploit is made possible by capitalizing on two new flaws discovered in the Bluetooth standard’s session key derivation mechanism, allowing the derivation of the same key across multiple sessions.
While forward secrecy ensures the confidentiality of past communications, even if private keys are exposed by a passive attacker, future secrecy guarantees the confidentiality of future messages should past keys become compromised.
The attack strategically employs four architectural vulnerabilities, including the two aforementioned flaws, within the Bluetooth session establishment process to derive a weakened session key. Subsequently, it utilizes brute-force techniques to impersonate arbitrary victims.
The AitM attacker, posing as the paired device, can negotiate a connection with the other end to initiate a subsequent encryption procedure using legacy encryption. Through this method, “an attacker in proximity may ensure that the same encryption key is used for every session while in proximity and force the lowest supported encryption key length,” according to the Bluetooth Special Interest Group (SIG).
SIG acknowledges that any conforming BR/EDR implementation is susceptible to this attack on session key establishment. However, it suggests that the impact may be mitigated by refusing access to host resources from a downgraded session or by ensuring sufficient key entropy to limit the utility of session key reuse to an attacker.
Furthermore, the vulnerabilities enable an attacker to conduct real-time brute-force attacks on encryption keys, facilitating live injection attacks on traffic between vulnerable devices. Successful execution of the attack requires the attacking device to be within wireless range during the pairing procedure initiation, capturing Bluetooth packets in plaintext and ciphertext, and having knowledge of the victim’s Bluetooth address to craft Bluetooth packets.
As a countermeasure, SIG recommends Bluetooth implementations to reject service-level connections on an encrypted baseband link with key strengths below 7 octets. It also advises operating devices in “Secure Connections Only Mode” to ensure sufficient key strength and performing pairing in “Secure Connections” mode instead of the legacy mode.
This disclosure coincides with ThreatLocker detailing a Bluetooth impersonation attack that exploits the pairing mechanism to gain wireless access to Apple macOS systems through Bluetooth connections, allowing the launch of a reverse shell.