Bluetooth is a pervasive wireless technology specified in an open
standard. The standard defines Bluetooth Classic (BT) for high-
throughput wireless services and Bluetooth Low Energy (BLE) very
low-power ones. The standard also specifies security mechanisms,
such as pairing, session establishment, and cross-transport key
derivation (CTKD). CTKD enables devices to establish BT and BLE
security keys by pairing just once. CTKD was introduced in 2014
with Bluetooth 4.2 to improve usability. However, the security im-
plications of CTKD were not studied carefully.
This work demonstrates that CTKD is a valuable and novel Blue-
tooth attack surface. It enables, among others, to exploit BT and BLE
just by targeting one of the two (i.e., Bluetooth cross-transport ex-
ploitation). We present the design of the first cross-transport attacks
on Bluetooth. Our attacks exploit issues that we identified in the
specification of CTKD. For example, we find that CTKD enables an
adversary to overwrite pairing keys across transports. We leverage
these vulnerabilities to impersonate, machine-in-the-middle, and
establish unintended sessions with any Bluetooth device support-
ing CTKD. Since the presented attacks blur the security boundary
between BT and BLE, we name them BLUR attacks. We provide a
low-cost implementation of the attacks and test it on a broad set
of devices. In particular, we successfully attack 16 devices with 14
unique Bluetooth chips from popular vendors (e.g., Cypress, Intel,
Qualcomm, CSR, Google, and Samsung), with Bluetooth standard
versions of up to 5.2. We discuss why the countermeasures in the
Bluetooth are not effective against our attacks, and we develop and
evaluate practical and effective alternatives.
History
Preferred Citation
Daniele Antonioli, Nils Tippenhauer, Kasper Rasmussen and Mathias Payer. Blurtooth: Exploiting cross-transport key derivation in Bluetooth classic and Bluetooth low energy. In: ACM ASIA Conference on Computer and Communications Security (AsiaCCS). 2022.
Primary Research Area
Secure Connected and Mobile Systems
Name of Conference
ACM ASIA Conference on Computer and Communications Security (AsiaCCS)
Legacy Posted Date
2022-04-23
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3610,
title = "Blurtooth: Exploiting cross-transport key derivation in Bluetooth classic and Bluetooth low energy",
author = "Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper and Payer, Mathias",
booktitle="{ACM ASIA Conference on Computer and Communications Security (AsiaCCS)}",
year="2022",
}