A research team has reportedly disclosed a new vulnerability that could allow attackers to spoof a modern Bluetooth device into pairing with a malicious device masquerading as trusted. Essentially, a BIAS attack exploits a vulnerability in how Bluetooth devices handle long-term connections. When two Bluetooth devices are paired, they agree on a “link key” so they can reconnect to each other without going through the pairing process.
The security flaw, dubbed the Bluetooth Impersonation Attack (BIAS) by the team, affects a range of devices that use Bluetooth, including iPhones, iPads and Macs.
Researchers at the Swiss Federal Institute of Technology in Lausanne found that they were able to spoof the Bluetooth address of a previously paired device to complete the authentication process without knowing the link key.
More specifically, the vulnerability kicks in when the attacking device pretends to be a previously trusted device that only supports one-sided authentication – the lowest security setting in Bluetooth. Typically, the user’s device will be the one that verifies that the connection is valid. However, by using a tactic known as “role switching,” an attacker can spoof authentication and establish a secure connection to the user’s device.
Combined with other Bluetooth vulnerabilities, such as Bluetooth Key Negotiation (KNOB), attackers can compromise devices operating in secure authentication mode. Once a BIAS attack is successful, the compromised device can be used for other exploits, including accessing data sent over Bluetooth, and even controlling functions possessed by previously paired devices.
Since Bluetooth connections generally do not require explicit user interaction, BIAS and KNOB attacks are also stealthy and can be performed without the user’s knowledge.
Who is at risk of a BIAS attack?
This flaw only affects Bluetooth Basic Rate/Enhanced Data Rate, aka Classic Bluetooth. But this still leaves relatively new Apple devices vulnerable, including iPhone 8 and above, 2017 MacBook devices and above, and 2018 iPad models and above.
In order to carry out an attack, a bad actor needs to be within Bluetooth range of a vulnerable device and know the Bluetooth address of a previously paired device. Finding these bluetooth addresses is relatively trivial, even random, for a skilled attacker.
Don’t worry too much, manufacturers such as Apple and Samsung are likely to release firmware or software patches in the near future to complement the repair measures.
Welcome to the public account of “Information Technology and Network Security”!