Adversaries could exploit newly discovered security weaknesses in Bluetooth Core and Mesh Profile Specifications to masquerade as legitimate devices and carry out man-in-the-middle (MitM) attacks.
"Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing," the Carnegie Mellon CERT Coordination Center said in an advisory published Monday.
The two Bluetooth specifications define the standard that allows for many-to-many communication over the short-range wireless technology to facilitate data transfer between devices in an ad-hoc network.
The Bluetooth Impersonation AttackS, aka BIAS, enable a malicious actor to establish a secure connection with a victim, without having to know and authenticate the long-term key shared between the victims, thus effectively bypassing Bluetooth's authentication mechanism.
"The BIAS attacks are the first uncovering issues related to Bluetooth's secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades," the researchers said. "The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction."
"To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR."
In addition, four separate flaws have been uncovered in Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1. A summary of the flaws is as follows -
- CVE-2020-26555 - Impersonation in Bluetooth legacy BR/EDR pin-pairing protocol (Core Specification 1.0B through 5.2)
- CVE-2020-26558 - Impersonation in the Passkey entry protocol during Bluetooth LE and BR/EDR secure pairing (Core Specification 2.1 through 5.2)
- N/A - Authentication of the Bluetooth LE legacy pairing protocol (Core Specification 4.0 through 5.2)
- CVE-2020-26556 - Malleable commitment in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
- CVE-2020-26557 - Predictable AuthValue in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
- CVE-2020-26559 - Bluetooth Mesh Profile AuthValue leak (Mesh profile 1.0 and 1.0.1)
- CVE-2020-26560 - Impersonation attack in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
"Our attacks work even when the victims are using Bluetooth's strongest security modes, e.g., SSP and Secure Connections. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device," the researchers said.
The Android Open Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are among the identified vendors with products impacted by these security flaws. AOSP, Cisco, and Microchip Technology said they are currently working to mitigate the issues.
"Cradlepoint was notified of the BLE vulnerabilities prior to public disclosure. We have a production release of our NetCloud OS code available (NCOS version 7.21.40) that fixes the cited issues," the company told The Hacker News over email. "As a result, we consider this security vulnerability remediated."
The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has also issued security notices for each of the six flaws. Bluetooth users are recommended to install the latest recommended updates from device and operating system manufacturers as and when they are available.