Your Devices May Be Vulnerable to BIAS Bluetooth Attack: Report

A Bluetooth flaw could leave your phone at risk and all devices appear to have this vulnerability. Researchers found a vulnerability they named Bluetooth Impersonation AttackS (BIAS) that can allow someone to gain access to a target device (such as a smartphone or laptop) by impersonating the identity of a previously paired device. The researchers found the vulnerability in December 2019, and informed the Bluetooth Special Interest Group (Bluetooth SIG) — the standards organisation that that oversees Bluetooth — about this. However, the issue has not been fully remedied as Bluetooth SIG has so far “encouraged” fixes from manufacturers, and recommended that users get the latest updates for their devices.

The research team said that the attack was tested against a wide range of devices, including smartphones from manufacturers like Apple, Samsung, Google, Nokia, LG, and Motorola, laptops from HP, Lenovo the Apple MacBook, headphones from Philips and Sennheiser, as well as iPads. They tried a BIAS attack on 31 Bluetooth devices with 28 unique Bluetooth chips from Apple, Qualcomm, Intel, Cypress, Broadcom, and others. All of the 31 attacks were successful. “Our attacks allow to impersonate Bluetooth master and slave devices and establish secure connections without knowing the long term key shared between the victim and the impersonated device,” the researchers stated. They added that this attack exploits lack of integrity protection, encryption, and mutual authentication in the Bluetooth standard.

What is BIAS?

Researchers Daniele Antonioli, Kasper Rasmussen, and Nils Ole Tippenhauer have noted that BIAS is a vulnerability found in the Bluetooth Basic Rate Extended Data Rate (BR/EDR) wireless technology, also called Bluetooth Classic. This technology is the standard for a wireless personal area network. A Bluetooth connection usually involves a connection between a host and a client device. When two devices are paired for the first time, a key or address is generated, which allows following Bluetooth connections between the two devices to be seamless. Even though the Bluetooth standard provides security features to protect against eavesdropping and/or manipulation of information, a BIAS attack can impersonate this key or address, and connect to a device without the need of authentication, since it would appear as if it had been previously paired.

Once connected, the attacker can gain access to a target device over a Bluetooth connection. This in turn can open up a number of possibilities for any kind of malicious attack on the device that has been targeted by BIAS. Additionally, the researchers noted that since the attack is standard compliant, it is effective against Legacy Secure Connections and Secure Connections, meaning all devices are vulnerable to this attack.

However, for this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker, Bluetooth SIG noted.

What can users do?

As per the Github page of the BIAS attack, this vulnerability was pointed out to Bluetooth Special Interest Group (Bluetooth SIG) – the organisation that oversees the development of Bluetooth standard, in December 2019. However, at the time of disclosure, the research team tested chips from Cypress, Qualcomm, Apple, Intel, Samsung, and CSR. It was found that all these devices were vulnerable to the BIAS attack. The researchers stated that some vendors might have implemented workarounds on their devices so if a user’s device was not updated after December 2019, it may be vulnerable.

Bluetooth SIG also gave a statement in response to this vulnerability and said that it is working on a remedy. Bluetooth SIG is updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption. These changes will be introduced into a future specification revision, it said.

It added, “The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.”