CISPA
Browse
cispa_all_3610.pdf (2.76 MB)

Blurtooth: Exploiting cross-transport key derivation in Bluetooth classic and Bluetooth low energy

Download (2.76 MB)
conference contribution
posted on 2023-11-29, 18:20 authored by Daniele Antonioli, Nils Ole TippenhauerNils Ole Tippenhauer, Kasper Rasmussen, Mathias Payer
Bluetooth is a pervasive wireless technology specified in an open standard. The standard defines Bluetooth Classic (BT) for high- throughput wireless services and Bluetooth Low Energy (BLE) very low-power ones. The standard also specifies security mechanisms, such as pairing, session establishment, and cross-transport key derivation (CTKD). CTKD enables devices to establish BT and BLE security keys by pairing just once. CTKD was introduced in 2014 with Bluetooth 4.2 to improve usability. However, the security im- plications of CTKD were not studied carefully. This work demonstrates that CTKD is a valuable and novel Blue- tooth attack surface. It enables, among others, to exploit BT and BLE just by targeting one of the two (i.e., Bluetooth cross-transport ex- ploitation). We present the design of the first cross-transport attacks on Bluetooth. Our attacks exploit issues that we identified in the specification of CTKD. For example, we find that CTKD enables an adversary to overwrite pairing keys across transports. We leverage these vulnerabilities to impersonate, machine-in-the-middle, and establish unintended sessions with any Bluetooth device support- ing CTKD. Since the presented attacks blur the security boundary between BT and BLE, we name them BLUR attacks. We provide a low-cost implementation of the attacks and test it on a broad set of devices. In particular, we successfully attack 16 devices with 14 unique Bluetooth chips from popular vendors (e.g., Cypress, Intel, Qualcomm, CSR, Google, and Samsung), with Bluetooth standard versions of up to 5.2. We discuss why the countermeasures in the Bluetooth are not effective against our attacks, and we develop and evaluate practical and effective alternatives.

History

Preferred Citation

Daniele Antonioli, Nils Tippenhauer, Kasper Rasmussen and Mathias Payer. Blurtooth: Exploiting cross-transport key derivation in Bluetooth classic and Bluetooth low energy. In: ACM ASIA Conference on Computer and Communications Security (AsiaCCS). 2022.

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

ACM ASIA Conference on Computer and Communications Security (AsiaCCS)

Legacy Posted Date

2022-04-23

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3610, title = "Blurtooth: Exploiting cross-transport key derivation in Bluetooth classic and Bluetooth low energy", author = "Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper and Payer, Mathias", booktitle="{ACM ASIA Conference on Computer and Communications Security (AsiaCCS)}", year="2022", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC