New security vulnerability allows impersonation of trusted Bluetooth peripherals

A research team has revealed a new vulnerability that could allow attackers to trick modern Bluetooth devices into pairing with malicious devices disguised as trusted devices,media outlet AppleInsider reported. The security vulnerability, known to the team as a Bluetooth impersonation attack (BIAS), affected a range of Bluetooth-using devices, including iPhones, iPads and Macs.

New security vulnerability allows impersonation of trusted Bluetooth peripherals

In essence, BIAS attacks exploit vulnerabilities in how Bluetooth devices handle long-term connections. When two Bluetooth devices are paired, they agree on a “link key” so that they can reconnect to each other without going through the pairing process. Researchers at the Federal Institute of Technology in Lausanne, Switzerland, found that they were able to cheat the Bluetooth address of previously paired devices to complete the authentication process without knowing the link key.

More specifically, the vulnerability starts when an attack device pretends to be a previously trusted device that only supports unilateral authentication — the lowest security setting in Bluetooth. Typically, the user’s device will be the device that verifies that the connection is valid. However, by using a policy known as “role switching”, an attacker can spoof authentication and establish a secure connection to the user’s device.

Combined with other Bluetooth vulnerabilities, such as Bluetooth Key Negotiation (KNOB), an attacker can break a device running in secure authentication mode. Once the BIAS attack is successful, the attacked device can be used for other uses, including accessing data sent over Bluetooth and even controlling the capabilities previously paired devices.

Because Bluetooth connections often do not require explicit user interaction, BIAS and KNOB attacks are also hidden and can be carried out without the user’s knowledge.

Who would be threatened by the BIAS attack?

This defect only affects the Bluetooth base rate/enhanced data rate, which is classic Bluetooth. But it still puts relatively new Apple devices under attack, including the iPhone 8 and above, the 2017 MacBook device and above, the 2018 iPad model and above.

In order to carry out an attack, the bad actor needs to be within the Bluetooth range of the vulnerable device and know the Bluetooth address of the previously paired device. Finding these Bluetooth addresses is relatively trivial, even random, for a skilled attacker.

Researchers have notified the Bluetooth Special Interest Group (SIG), which has updated the Bluetooth Core Specification to mitigate the vulnerability. Manufacturers such as Apple and Samsung are likely to roll out firmware or software patches in the near future to complement the fix.