Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS). Our attacks are standard compliant, and are therefore effective against any standard compliant Bluetooth device regardless the Bluetooth version, the security mode (e.g., Secure Connections), the device manufacturer, and the implementation details. Our attacks are stealthy because the Bluetooth standard does not require to notify end users about the outcome of an authentication procedure, or the lack of mutual authentication. To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.
History
Preferred Citation
Daniele Antonioli, Nils Tippenhauer and Kasper Rasmussen. BIAS: Bluetooth Impersonation AttackS. In: IEEE Symposium on Security and Privacy (S&P). 2020.
Primary Research Area
Secure Connected and Mobile Systems
Secondary Research Area
Threat Detection and Defenses
Name of Conference
IEEE Symposium on Security and Privacy (S&P)
Legacy Posted Date
2020-04-15
Open Access Type
Green
BibTeX
@inproceedings{cispa_all_3064,
title = "BIAS: Bluetooth Impersonation AttackS",
author = "Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper",
booktitle="{IEEE Symposium on Security and Privacy (S&P)}",
year="2020",
}