The use of Bluetooth connections to compromise the security of users is not a new problem. So far, vulnerabilities were thought to have existed due to lack of foresight on the manufacturer’s end.
However, recent research at Eurecom, a French Graduate School and digital research center, discovered two previously unknown flaws in the Bluetooth standard that are not specific to hardware or software configuration but are architectural. These affect Bluetooth on a fundamental level and impact billions of devices including laptops, smartphones, and other mobile devices. The flaws were found to impact not just older versions, even versions released as far as February 2023.
Using the previously unknown flaws researchers developed six new attacks collectively dubbed “BLUFFS” that can break the secrecy of Bluetooth sessions allowing attackers to impersonate devices and perform man-in-the-middle (MitM) attacks.
A man-in-the-middle or MitM attack is a cyber-attack where attackers intercept communication between devices. Attackers use this method for not just snooping on a private conversation between devices, but also to perform unauthorised purchases and hacking into devices.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
The exploits targeting Bluetooth connections break Bluetooth sessions’ forward and future secrecy. This is achieved by exploiting flaws in the session’s key derivation process that allow attackers to brute-force the key. This allows them to decrypt past communication and decrypt or manipulate future communications.
Also Read | OpenAI’s identity service provider Okta hit by cyber attack
This form of attack impacts devices including smartphones, earphones, and laptops running different versions of Bluetooth, all of which were confirmed to be susceptible to at least three out of the six attacks.
Remedies for flaws in Bluetooth technology
Researchers suggested modifications in the use of Bluetooth technology to remedy the flaws. These include introducing a new “Key Derivation Function”. Introduction of pairing keys for devices for mutual authentication to ensure attackers cannot use man-in-the-middle attacks to compromise security. Enforcing secure connections wherever possible and maintaining a cache of session keys to prevent reuse.
Bluetooth SIG (Special Interest Group), a non-profit organization overseeing the development of the Bluetooth standard in response to the report suggested changes in how the technology is operated. These include the rejection of low key strengths and ensure higher encryption strengths along with the use of “Secure Connections Only” mode when pairing devices.
