Adversaries may impersonate legitimate devices and carry out man-in-the-middle (MitM) attacks using newly discovered security flaws in Bluetooth Core and Mesh Profile Specifications.
Devices that support the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure, according to a Carnegie Mellon CERT Coordination Center advisory released Monday.
The two Bluetooth specifications describe the standard for many-to-many communication over short-range wireless technology to make data transmission between devices in an ad hoc network easier.
The Bluetooth Impersonation Attacks, or BIAS, enable a malicious actor to create a secure link with a victim without knowing or authenticating the long-term key exchanged between the two victims, effectively bypassing Bluetooth’s authentication mechanism.
The Bluetooth Special Interest Group (Bluetooth SIG), which oversees the implementation of Bluetooth standards, also released security advisories earlier today, outlining fixes for each of the seven security vulnerabilities that affect the two vulnerable specifications.
The BIAS attacks are the first to reveal flaws in Bluetooth’s secure connection establishment authentication procedures, adversarial role transitions, and secure connections downgrades, according to the researchers.
The BIAS attacks are undetectable because the creation of a Bluetooth secure connection does not necessitate user interaction.
The researchers successfully conducted BIAS attacks against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR, to confirm that the BIAS attacks are effective.
Even when the victims are using Bluetooth’s highest security modes, such as SSP and Secure Connections, the attacks work. The attacks target the standardized Bluetooth authentication procedure, making them successful against any Bluetooth device that compliant with standard Bluetooth device, According to the researchers.
In addition, four different Bluetooth flaws in Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1 have been discovered. The following is a list of the Bluetooth flaws:
- CVE-2020-26555 – Impersonation in Bluetooth legacy BR/EDR pin-pairing protocol (Core Specification 1.0B through 5.2)
- CVE-2020-26558 – Impersonation in the Passkey entry protocol during Bluetooth LE and BR/EDR secure pairing (Core Specification 2.1 through 5.2)
- N/A – Authentication of the Bluetooth LE legacy pairing protocol (Core Specification 4.0 through 5.2)
- CVE-2020-26556 – Malleable commitment in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
- CVE-2020-26557 – Predictable AuthValue in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
- CVE-2020-26559 – Bluetooth Mesh Profile AuthValue leak (Mesh profile 1.0 and 1.0.1)
- CVE-2020-26560 – Impersonation attack in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
The Android Open-Source Project (AOSP) is working on releasing security updates to fix the CVE-2020-26555 and CVE-2020-26558 vulnerabilities.
AOSP provided a statement to CERT/CC that Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin.
Cisco is now working to fix the CVE-2020-26555 and CVE-2020-26558 vulnerabilities that have affected its devices.
These vulnerabilities are being tracked by Cisco via incident PSIRT-0503777710, the company said.
You might also like: E-commerce giant Mercari data breach: several data exposed