Researchers hack encrypted Bluetooth connections

6 December 2023
| No comments
B2B Cyber ​​Security ShortNews

Share post

Researchers at Eurecom University in the south of France have discovered Bluetooth vulnerabilities and developed attacks for them. The so-called “BLUFFS” can be used to break into Bluetooth sessions, spoof the device identity and carry out man-in-the-middle attacks.

The “BLUFFS” attacks by Eurecom researchers are tough: they rely on vulnerabilities in the structure of Bluetooth. Daniele Antonioli, Assistant Professor at Eurecom University, has discovered the possibilities for Bluetooth attacks that exploit previously unknown vulnerabilities in the Bluetooth standard. The vulnerabilities relate to how session keys are derived to decrypt data in exchange.

Vulnerabilities in the Bluetooth architecture

The defects found are not specific to hardware or software configurations, but rather architectural in nature to Bluetooth. The issues are tracked under CVE-2023-24023 and impact Bluetooth Core Specification 4.2 to 5.4.

Given the widespread use of the established wireless communications standard and the versions affected by the exploits, the potential BLUFFS attacks could target billions of devices, including laptops, smartphones and other mobile devices.

This is how the BLUFFS attacks work

The BLUFFS attacks consist of a series of exploits aimed at disrupting Bluetooth sessions. This will endanger the secrecy between devices with Bluetooth connections in the future. This is achieved by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, therefore weak and predictable session key (SKC). The attacker then enforces the key through brute force attacks, allowing the decryption of past communications as well as the decryption or manipulation of future communications. Executing the attack requires that the attacker is within Bluetooth range of the two targets.

The researchers have developed and shared on GitHub a toolkit that demonstrates the effectiveness of BLUFFS. It includes a Python script to test the attacks, the ARM patches, the parser, and the PCAP samples captured during their testing. The BLUFFS vulnerabilities affect Bluetooth 4.2, released in December 2014, and all versions up to the latest version, Bluetooth 5.4, released in February 2023.

More on Github.io

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more

Short news
, , , ,