Security Researchers Discover New BIAS Vulnerability in Bluetooth Protocol

Security researchers have discovered a new vulnerability in the Bluetooth wireless protocol, which is used to interconnect modern devices like smartphones, laptops, IoT devices, and other smart devices.

In an official statement, the researchers stated that the vulnerability is dubbed BIAS (Bluetooth Impersonation Attacks) and the attacking device needs to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR connection with a Bluetooth address known to the attacker.

The researchers found that it is possible for an attacking device to spoof the address of a previously bonded remote device to complete the authentication procedure with previously paired devices, without the link key.

Explaining the BIAS attack, research experts from the CERT Coordination Center, said, “An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. The BIAS attack could be combined with the Key Negotiation of Bluetooth (KNOB) attack to impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection, and brute force the session key.”

Following initial bonding, hackers can fake the identity of previously paired devices and successfully connect without having to know the long-term pairing key that was established. From here, they can access data from a targeted device or take control of one.

The BIAS attack was tested on more than 28 unique Bluetooth chips manufactured by a wide range of companies including Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All 30 devices tested by the academics were vulnerable.

“At the time of writing, we were able to test [Bluetooth] chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack,” researchers said.

“Because this attack affects basically all devices that ‘speak Bluetooth,’ we performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth SIG) – the standards organisation that oversees the development of Bluetooth standards – in December 2019 to ensure that workarounds could be put in place,” the team added.

Bluetooth SIG, which oversees the Bluetooth standard, said it’s updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication and recommend checks for encryption-types to avoid a downgrade of secure connections.