Visible to the public BIAS: Bluetooth Impersonation AttackS

TitleBIAS: Bluetooth Impersonation AttackS
Publication TypeConference Paper
Year of Publication2020
AuthorsAntonioli, D., Tippenhauer, N. O., Rasmussen, K.
Conference Name2020 IEEE Symposium on Security and Privacy (SP)
Keywordsattacks, authentication, authentication procedure, authorisation, BIAS attacks, Bluetooth, Bluetooth chips, Bluetooth devices, Bluetooth Impersonation AttackS, bluetooth security, Bluetooth standard, Bluetooth version, composability, cryptography, Human Behavior, impersonation, mandatory mutual authentication, mobile radio, performance evaluation, Protocols, pubcrawl, resilience, Resiliency, secure authentication procedure, secure connection establishment, slave impersonation attacks, Standards, telecommunication security, ubiquitous computing, wireless communication pervasive technology, wireless security
AbstractBluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS).Our attacks are standard compliant, and are therefore effective against any standard compliant Bluetooth device regardless the Bluetooth version, the security mode (e.g., Secure Connections), the device manufacturer, and the implementation details. Our attacks are stealthy because the Bluetooth standard does not require to notify end users about the outcome of an authentication procedure, or the lack of mutual authentication. To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.
DOI10.1109/SP40000.2020.00093
Citation Keyantonioli_bias_2020