Some iPhones, iPads, and Macs are vulnerable to short-range attacks via Bluetooth which could fool them into thinking they are connected to a trusted device. That would then enable an attacker to both send and request data via Bluetooth.
The same security vulnerability is found in a wide range of chips from Intel, Qualcomm, and Samsung, meaning that a large number of non-Apple devices are also affected …
The vulnerability relies on impersonating a previously-paired device and is thus dubbed Bluetooth Impersonation AttackS (BIAS).
Worryingly, BIAS attacks can impersonate either a ‘slave’ or ‘master’ device, meaning that the target device can be asked to either send data or, as in the case of a Bluetooth keyboard, accept it.
The attack works against any device which uses the Bluetooth Classic protocol. This includes some relatively recent Apple devices, including:
- iPhone 8 or older
- 2018 iPad or older
- 2017 MacBook Pro or older
It also works against many smartphones from Google, LG, Motorola, Nokia, and Samsung.
Attacks can be carried out using low-cost equipment, including a Raspberry Pi.
The details are rather technical and explained in a detailed paper. There is also a one-minute overview video, which you can watch below.
Our attacks are standard-compliant, and can be combined with other attacks, including the KNOB attack. In the paper, we also describe a low cost implementation of the attacks and our evaluation results on 30 unique Bluetooth devices using 28 unique Bluetooth chips.
Bluetooth Classic (also called Bluetooth BR/EDR) is a wireless communication protocol commonly used between low power devices to transfer data, e.g., between a wireless headset and a phone, or between two laptops. Bluetooth communications might contain private and/or sensitive data, and the Bluetooth standard provides security features to protect against someone who wants to eavesdrop and/or manipulate your information.
We found and exploited a severe vulnerability in the Bluetooth BR/EDR specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker can impersonate a device towards the host after both have previously been successfully paired in absence of the attacker.
But the essence is this. The attacker claims to be a previously-trusted device, and also claims to support only the lowest level of Bluetooth security: unilateral authentication. Your device agrees to be in charge of authenticating the remote device, but the attacker sends another request that it should be the one to take control of the authentication process (something known as role-switching). Due to a bug in the protocol, your device simply agrees to this. The attacker then sends the authentication OK, and your device trusts it.
The research team disclosed their findings to the Bluetooth Special Interest Group (Bluetooth SIG) – the standards organization that oversees the development of Bluetooth standards – in December of last year, and held back on public disclosure until now in order to allow workarounds to be developed.
The Bluetooth SIG says that it will be updating the Bluetooth Core Specification to block a key element of the attack process (preventing the target device from agreeing to a less secure protocol), and in the meantime is encouraging manufacturers to issue a security patch to make the attack less likely to succeed.
BIAS would require relatively targeted attacks from someone within Bluetooth range. If you are concerned you may be targeted in this way, best practice would be to keep Bluetooth turned off when you are not using it. A paranoid user would also instruct their device to forget Bluetooth devices immediately after using them, and to repeat the pairing each time.