This is one of those things that make you cringe and hope there’s a firmware update to resolve it in the works.
Two recently-discovered Bluetooth security flaws allow attackers to hijack the connections of all devices using Bluetooth 4.2 to 5.4, a range that encompasses all devices between late 2014 and now. AirDrop is also included in this range.
Six separate exploits have been demonstrated, allowing both device impersonations and man-in-the-middle attacks.
How Bluetooth security works:
Bluetooth is intended to be a secure form of wireless comms, with a number of security features. An Apple support document describes six different elements to Bluetooth security.Pairing: The process for creating one or more shared secret keys
Bonding: The act of storing the keys created during pairing for use in subsequent connections to form a trusted device pair
Authentication: Verifying that the two devices have the same keys
Encryption: Message confidentiality
Message integrity: Protection against message forgeries
Secure Simple Pairing: Protection against passive eavesdropping and protection against man-in-the-middle attacks
Given that there are several different generations of the Bluetooth Core Specification, this allows for varying degrees of security. This also affects the degree of protection users can expect depends on the Bluetooth version supported by the oldest of the devices involved in a connection. The strength of the session keys is one key factor in the level of protection offered.
Researchers at Eurecom have developed six new attacks collectively named ‘BLUFFS’ that can break the secrecy of Bluetooth sessions, allowing for device impersonation and man-in-the-middle (MitM) attacks.
Daniele Antonioli, who discovered the BLUFFS attacks, highlighted how two previously unknown flaws in the Bluetooth standard related to how session keys are derived to decrypt data in exchange. The attack succeeds by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, thus weak and predictable session key (SKC). The attacker can then use a brute-force attack, allowing them to decrypt past communications as well as decrypt or manipulate future communications.
As such, the device is later tricked into using a very weak security key that can be easily broken by an attacker, allowing for two types of attack:
Device impersonation, where you think you are sending data to a known device (AirDropping something to a friend, for example) when you are really connected to an attacker’s device
Man-in-the-Middle (MitM) attack, where you are sending data to the intended device, but the data is intercepted by an attacker so they get a copy too
Given that the flaws are present in the actual Bluetooth architecture, all devices between Bluetooth 4.2 and Bluetooth 5.4 are vulnerable, including the current iPhones, iPads, and Macs.
There’s currently nothing that can be done to fix these vulnerabilities, and device manufacturers will need to revise their Bluetooth security implementation, rejecting the lower-security modes used to communicate with older and cheaper devices. It’s unclear whether patches can be released for existing devices.
Best practices to minimize the risk of these attacks include keeping Bluetooth off when mobile, except when it is needed. This would include activating it when using Bluetooth headphones, and de-activating it again afterwards. Another practice would be to avoid AirDropping personal photos, documents, or other personal information.
Stay tuned for additional details as they become available.
Via 9to5Mac, support.apple.com, and Bleeping Computer