Researchers at EURECOM have recently discovered a new attack technique called BLUFFS (Bluetooth Forward and Future Secrecy), which exploits previously unknown vulnerabilities in the Bluetooth specification.
Description
These vulnerabilities, identified as CVE-2023-24023 [1] [2] [3] [5] [6], impact Bluetooth versions 4.2 to 5.4 and specifically target devices that support Secure Connections Pairing and Secure Simple Pairing. BLUFFS manipulates the key exchange during Bluetooth connection establishment [1], weakening the security of the session key. This allows an attacker within range to decrypt transmitted data by brute-forcing the weakened key [1]. Furthermore, the attack compromises forward secrecy and enables interception of future connections [1].
The LSC protocol has been found to be particularly vulnerable to this attack, affecting devices such as Bose Soundlink headphones [1], Apple iPhone 13 [1], and Lenovo Thinkpad X1 [1].
To mitigate these vulnerabilities [1] [7], it is recommended to refuse connections with encryption key strengths below 7 octets and to activate Secure Connections Only Mode [7]. The Bluetooth Special Interest Group (SIG) acknowledges the seriousness of these attacks and advises manufacturers to implement effective countermeasures. They recommend rejecting service-level connections with weak key strengths and operating in “Secure Connections” mode [2] [3] [4]. However, it is important to note that some implementations still allow for encryption key lengths below 7 octets.
Bluetooth SIG also suggests implementing stricter security standards to strengthen the generated keys without affecting compatibility with older standards. While solutions and improvements have been proposed, they have not yet been implemented.
Conclusion
The BLUFFS attack technique poses a significant threat to Bluetooth devices that support Secure Connections Pairing and Secure Simple Pairing. It compromises the security of the session key, allowing for decryption of transmitted data and interception of future connections. Mitigations include refusing connections with weak encryption key strengths and activating Secure Connections Only Mode [7]. The Bluetooth Special Interest Group advises manufacturers to implement effective countermeasures and suggests stricter security standards to strengthen generated keys. However, it is important to note that some implementations still have vulnerabilities. Future implementation of proposed solutions and improvements is necessary to enhance Bluetooth security.
References
[1] https://www.gamingdeputy.com/bluetooth-encryption-compromised-by-new-vulnerability/
[2] https://thehackernews.com/2023/12/new-bluffs-bluetooth-attack-expose.html
[3] https://vulners.com/thn/THN:EA688F534106E8A3A516045F0CB65E46
[4] https://rhyno.io/bluffs-bluetooth-attack-is-putting-devices-at-risk/
[5] https://forums.guru3d.com/threads/researcher-uncovers-critical-bluetooth-vulnerabilities-impacting-versions-4-2-to-5-4.450324/
[6] https://cyber.vumetric.com/security-news/2023/12/04/new-bluffs-bluetooth-attack-expose-devices-to-adversary-in-the-middle-attacks/
[7] https://www.guru3d.com/story/researcher-uncovers-critical-bluetooth-vulnerabilities-impacting-versions-42-to-54/
