Hackers Can Impersonate Bluetooth Devices to Steal Users’ Personal Data: Is This a Threat to You?

News and Analysis
20.05.2020

A group of cybersecurity researchers has detected a severe security vulnerability in Bluetooth-based communication that can potentially enable bad actors to impersonate any Bluetooth master or slave device.

The so-called Bluetooth Impersonation AttackS, or BIAS, was jointly described in a paper by Daniele Antonioli from École Polytechnique Fédérale de Lausanne, Kasper Rasmussen from University of Oxford, and Nils Ole Tippenhauer from CISPA Helmholtz Center for Information Security, on May 18.

All Operating Systems are Potentially Vulnerable to BIAS Attacks

To investigate Bluetooth security, the researchers performed BIAS attacks on around 30 unique Bluetooth chips from manufacturers such as Cypress, Qualcomm, Apple, Intel, Samsung, and CSR, wherein all tested devices were reportedly vulnerable to the attack.

Antonioli explained to forklog.media that such kinds of attacks allow ill-minded people to impersonate any Bluetooth device during secure session establishment, without having to target Bluetooth pairing. Antonioli continued:

“This is an issue because while pairing the victim devices establish a long term key that should protect them against impersonation attacks. However, with the BIAS attacks, we can bypass being asked to prove possession of such key and impersonate any target device including laptops, smartphones, headsets, and IoT devices.”

The probe showed that during BIAS attacks bad actors can obtain all sorts of data, according to the device that the attacker is impersonating. “If the attacker impersonates a laptop to a smartphone and the victim sends a file containing sensitive information from the smartphone to the impersonated laptop, then the attacker gets access to that sensitive file,” Antonioli said.

The researchers noted that the analysis was conducted in December 2019, and warned users that if their devices have not been updated since then, they are likely exposed to such kinds of attacks.

Is There a Way to Protect User Devices?

To further elaborate on the matter, forklog.media contacted a senior software engineer/system architect, who chose to remain anonymous for corporate reasons. They suggested that the only way to potentially protect user devices from such kinds of attacks, at this point, is turning off Bluetooth on corresponding devices while out of physical bounds of a trusted environment.

This is possible only given that manufacturers of the devices in question actually switch Bluetooth hardware’s power off given appropriate command, they noted.

There are also hypothetical options to establish stricter constraints onto Bluetooth connectivity, but a quick glance through Bluetooth-capable devices at hand had confirmed my initial suspicion that those are not supported,” the source added.

Antonioli stated that the paper proposes a number of countermeasures, including mandatory mutual authentication and enforcement of strong security modes, and further said:

“Unfortunately, updating a document does not mean that all devices implementing that document are safe. Large-scale protection against the BIAS attacks is hard to realize in practice as it requires patching billions of devices. As we’ve already seen with the KNOB [Key Negotiation of Bluetooth] attack, most devices are not going to receive any patch or cannot be even patched remotely.”

Is User Protection a Big Problem for Device Manufacturers?

Speaking about whether device manufacturers will take any actions to protect users from BIAS attacks, forklog.media’s source made an assumption that this should not be a big problem for all or at least most laptops, smartphones, and various USB Bluetooth paraphernalia producers.

This is because “within those Bluetooth protocol’s features are mostly implemented in a relatively hardware-independent software form, while chips themselves are little more than glorified antennas. Thus, writing a corresponding fix should not be a major issue.” The source concluded:

“Now, whether any company would actually care enough to implement necessary security updates? With major companies, such as Apple, Google/Alphabet, Intel and Microsoft this shouldn’t be an issue: generally, fixes such as the one in question are routinely implemented as a matter of course, and most large corporations could also well be expected to conduct in a similar vein. As for other, smaller companies outside of giants’ ecosystems, it would really depend on an economic impact and on the weight of public outreach for such.”

Meanwhile, Bluetooth-focused attacks have gained certain popularity among bad actors. Some attackers move beyond personal information stealing and even put people’s lives at risk.

Thus, research lead for the PwC UK Cyber Security practice, Matt Wixey, discovered that hackers can access the speaker and volume controls for various devices through Bluetooth and use them to produce sounds at extreme volumes, that can potentially do harm to an individual’s health.

Written by Ana Alexandre

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter

<

Related posts

Tags: , ,