Cybercriminals could exploit several vulnerabilities in Bluetooth to carry out impersonation attacks and masquerade as a legitimate device during the pairing process, according to the Bluetooth Special Interest Group (SIG).
The security flaws, which affect the Bluetooth Core and Mesh Profile specifications, were discovered by researchers at France’s national cybersecurity agency ANSSI.
“The researchers identified that it was possible for an attacker acting as a MITM [Man-in-the-Middle] in the Passkey authentication procedure to use a crafted series of responses to determine each bit of the randomly generated Passkey selected by the pairing initiator in each round of the pairing procedure, and once identified, to use these Passkey bits during the same pairing session to successfully complete the authenticated pairing procedure with the responder,” reads Bluetooth SIG’s security notice.
To successfully carry out the attack, the perpetrator would have to be in the wireless range of two vulnerable Bluetooth-enabled devices engaging in the pairing procedure. Once the authentication process is completed, the responder device will be authenticated with the attacker instead of the initiator. However, the attacker won’t be able to use this method to pair with the initiating device.
RELATED READING: Bluetooth flaw exposes countless devices to BIAS attacks
The US CERT Coordination Center (CERT/CC) released additional details about the vulnerabilities, explaining that an attacker could exploit the flaws to complete the pairing protocol and encrypt communications using a known link key, authenticate without the AuthValue or even brute-force it.
Patches on the way
Software and firmware updates are expected to be rolled out over the coming weeks, so users should be on the lookout for fixes from affected vendors.
Speaking of which, the Android Open Source Project, Cisco, Microchip Technology, Cradlepoint, Intel, and Red Hat are among the organizations identified by CERT/CC as affected by at least some of the vulnerabilities. The first three have issued statements confirming that they are working on releasing patches or mitigations for the security flaws, while the rest have yet to speak on the issue.
There is no word on whether the bugs have been exploited in the wild.
SIG has shared its own set of recommendations addressing the vulnerabilities and it is urging vendors to release patches post-haste.