Two newly-discovered Bluetooth security flaws allow attackers to hijack the connections of all devices using Bluetooth 4.2 to 5.4 inclusive – that is, all devices between late 2014 and now. AirDrop is a particular risk on Apple devices.
Six separate exploits have been demonstrated, allowing both device impersonations and man-in-the-middle attacks …
How Bluetooth security works
Bluetooth is intended to be a secure form of wireless comms, with a number of security features. An Apple support document describes six different elements to Bluetooth security.
- Pairing: The process for creating one or more shared secret keys
- Bonding: The act of storing the keys created during pairing for use in subsequent connections to form a trusted device pair
- Authentication: Verifying that the two devices have the same keys
- Encryption: Message confidentiality
- Message integrity: Protection against message forgeries
- Secure Simple Pairing: Protection against passive eavesdropping and protection against man-in-the-middle attacks
However, there are many different generations of the Bluetooth Core Specification, which support different levels of security. This means that the degree of protection you have depends on the Bluetooth version supported by the oldest of the devices involved in a connection. The strength of the session keys is one key factor in the level of protection offered.
Newly-discovered Bluetooth security flaws
It is this latter point which is exploited by what have been termed BLUFFS attacks, as Bleeping Computer explains.
Researchers at Eurecom have developed six new attacks collectively named ‘BLUFFS’ that can break the secrecy of Bluetooth sessions, allowing for device impersonation and man-in-the-middle (MitM) attacks.
Daniele Antonioli, who discovered the attacks, explains that BLUFFS exploits two previously unknown flaws in the Bluetooth standard related to how session keys are derived to decrypt data in exchange [….]
This is achieved by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, thus weak and predictable session key (SKC).
Next, the attacker brute-forces the key, enabling them to decrypt past communication and decrypt or manipulate future communications.
In other words, your device is tricked into using a very weak security key, which an attacker can trivially break. That enables two types of attack:
- Device impersonation, where you think you are sending data to a known device (AirDropping something to a friend, for example) when you are really connected to an attacker’s device
- Man-in-the-Middle (MitM) attack, where you are sending data to the intended device, but the data is intercepted by an attacker so they get a copy too
All devices are vulnerable
Because the flaws are in the actual Bluetooth architecture, all devices running Bluetooth 4.2 (introduced in December 2014) to Bluetooth 5.4 (introduced in February 2023) are vulnerable. This includes the latest iPhones, iPads and Macs.
There is nothing users can do to fix the vulnerabilities – it needs device manufacturers to make changes to the way they implement Bluetooth security, rejecting the lower-security modes used to communicate with older and cheaper devices. It’s unclear whether patches can be released for existing devices.
Steps you can take to minimize risk
Best practice would be to keep Bluetooth turned off when mobile, except when it is needed. This would include activating it when using Bluetooth headphones, and de-activating it again afterwards.
This would clearly be inconvenient, so a more practical precaution for most would be to avoid sending anything sensitive via Bluetooth in a public place. This includes AirDropping personal photos, or documents containing personal information.
FTC: We use income earning auto affiliate links. More.