Billions of Bluetooth-connected devices impacted by new BIAS weakness
A group of academic researchers have discovered a new vulnerability in the Bluetooth wireless protocol that affects almost all Bluetooth enabled devices.
The vulnerability, which they have decided to refer to as Bluetooth Impersonation AttackS (BIAS), impacts the classic version of the Bluetooth protocol that is used by low power devices to transfer data and is commonly referred to as Bluetooth Classic.
The BIAS security flaw leverages the way that devices handle link keys or long-term keys that are generated when two Bluetooth devices pair for the first time. The devices agree on a long-term key that is then used to connect paired devices in the future so that users don’t need to go through the pairing process each time they want to use their devices.
In a new paper detailing their discovery, the researchers explain how they found a bug in this post-bonding authentication process. An attacker can exploit the flaw to spoof the identity of a previously paired device and successfully authenticate and connect to another device without first obtaining the long-term pairing key that was previously established between two devices. A successful BIAS attack allows an attacker to access or even take control of another Bluetooth Classic device.
BIAS attacks
The researchers explained that they tested and found that many Bluetooth devices are vulnerable to BIAS attacks in a post, saying:
“The BIAS attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices). At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack.”
After making and disclosing the security flaw in December of last year, some vendors may have implemented workarounds for the vulnerability on their devices. However, if your devices have not been updated since that time, they are likely vulnerable.
Thankfully though, launching a successful attack is not that easy as an attacker’s device would need to be within wireless range of a vulnerable Bluetooth device that has previously been paired with a remote device with a Bluetooth address known to the attacker.
TechRadar Pro reached out to the Bluetooth Special Interest Group (SIG) regarding BIAS attacks and a spokesperson for the group explained that it works with developers and the security research community to help protect all Bluetooth devices, saying:
“The Bluetooth Special Interest Group (SIG) prioritizes security and the specifications include a collection of features that provide developers the tools they need to secure communications between Bluetooth devices. The SIG also provides educational resources to the developer community to help them implement the appropriate level of security within their Bluetooth products, as well as a vulnerability response program that works with the security research community to address vulnerabilities identified within Bluetooth specifications in a responsible manner.”
Via ZDNet
A group of academic researchers have discovered a new vulnerability in the Bluetooth wireless protocol that affects almost all Bluetooth enabled devices. The vulnerability, which they have decided to refer to as Bluetooth Impersonation AttackS (BIAS), impacts the classic version of the Bluetooth protocol that is used by low power…
Recent Posts
- A battle might be brewing as talks swirl of OpenAI working on a search engine to challenge Google’s dominance
- Multibillion-dollar Apple deal looms large in Google antitrust trial
- Everything new on Netflix in May 2024
- The Morning After: Peloton’s grim post-pandemic reality
- Netflix’s Cobra Kai season 6 will be a mega 15 episode epic released in 3 parts from July
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011