Updated on May 21, 2021, 1:30pm to include a statement from Cradlepoint
Serious security vulnerabilities have been found in Bluetooth Core and Mesh Profile Specifications, which allow hackers to impersonate legitimate devices and carry on Man-in-the-Middle(MITM) attacks.
Researchers from Agence nationale de la sécurité des systèmes d'information (ANSSI) disclosed several vulnerabilities in the two Bluetooth specifications used for low-energy and Internet of Things (IoT) devices or and many-to-many (m:m) device communication for large-scale networks.
Both the Bluetooth Core and Mesh specifications define the technical and policy requirements for devices that want to operate over Bluetooth connections.
Depending on the vulnerability exploited, a successful attack could lead to impersonation attack, AuthValue disclosure or man-in-the-middle attack.
“Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing,” said an advisory from the Carnegie Mellon University CERT Coordination Center.
An attacker within wireless range of the vulnerable Bluetooth devices could use a specially crafted device to exploit the vulnerabilities.
According to the Carnegie Mellon CERT Coordination Center advisory, the Android Open-Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are vendors affected by the security flaws.
A spokesman from Cradlepoint told FutureIoT: "Cradlepoint was notified of the BLE vulnerabilities prior to public disclosure. We have a production release of our NetCloud OS code available (NCOS version 7.21.40) that fixes the cited issues. As a result, we consider this security vulnerability remediated.”
Companies are advised to install the latest recommended updates from manufacturers into their Bluetooth devices..
Researchers have discovered the following security flaws in the Bluetooth Core and Mesh specifications:
- Impersonation in the Passkey Entry Protocol: The Passkey Entry protocol used in Secure Simple Pairing (SSP), Secure Connections (SC), and LE Secure Connections (LESC) of the Bluetooth Core Specification is vulnerable to an impersonation attack that enables an active attacker to impersonate the initiating device without any previous knowledge (CVE-2020-26558).
An attacker acting as a man-in-the-middle (MITM) in the Passkey authentication procedure could use a crafted series of responses to determine each bit of the randomly generated Passkey selected by the pairing initiator in each round of the pairing procedure, and once identified, the attacker can use these Passkey bits during the same pairing session to successfully complete the authenticated pairing procedure with the responder. Devices supporting BR/EDR Secure Simple Pairing in Bluetooth Core Specifications 2.1 through 5.2, BR/EDR Secure Connections Pairing in Bluetooth Core Specifications 4.1 through 5.2 and LE Secure Connections Pairing in Bluetooth Core Specifications 4.2 through 5.2 are affected by this vulnerability.
- Impersonation in the Pin Pairing Protocol: The Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555). An attacker could connect to a victim device by spoofing the Bluetooth Device Address (BD_ADDR) of the device, reflect the the encrypted nonce, and complete BR/EDR pin-code pairing with them without knowledge of the pin code.
A successful attack requires the attacking device to be within wireless range of a vulnerable device supporting BR/EDR Legacy Pairing that is Connectable and Bondable. Devices supporting the Bluetooth Core Specification versions 1.0B through 5.2 are affected by this vulnerability.
- Impersonation in Bluetooth Mesh Provisioning: The Mesh Provisioning procedure could allow an attacker without knowledge of the AuthValue, spoofing a device being provisioned, to use crafted responses to appear to possess the AuthValue and to be issued a valid NetKey and potentially an AppKey (CVE-2020-26560).
For this attack to be successful, an attacking device needs to be within wireless range of a Mesh Provisioner and either spoof the identity of a device being provisioned over the air or be directly provisioned onto a subnet controlled by the provisioner.
- Predictable AuthValue in Bluetooth Mesh Provisioning Leads to MITM:The Mesh Provisioning procedure could allow an attacker observing or taking part in the provisioning to brute force the AuthValue if it has a fixed value, or is selected predictably or with low entropy (CVE-2020-26557).
Identifying the AuthValue generally requires a brute-force search against the provisioning random and provisioning confirmation produced by the Provisioner. This brute-force search, for a randomly selected AuthValue, must complete before the provisioning procedure times out, which can require significant resources. If the AuthValue is not selected randomly with each new provisioning attempt, then the brute-force search can occur offline and if successful, would permit an attacker to identify the AuthValue and authenticate to both the Provisioner and provisioned devices, permitting a MITM attack on a future provisioning attempts with the same AuthValue.
- Malleable Commitment: The authentication protocol is vulnerable if the AuthValue can be identified during the provisioning procedure, even if the AuthValue is selected randomly (CVE-2020-26556). If an attacker can identify the AuthValue used before the provisioning procedure times out, it is possible to complete the provisioning operation and obtain a NetKey.
Similar to CVE-2020-26557, identifying the AuthValue generally requires a brute-force search against the provisioning random and provisioning confirmation produced by the Provisioner. This brute-force search for a randomly selected AuthValue, which can require significant resources, must complete before the provisioning procedure times out.
- AuthValue Leak:The Mesh Provisioning procedure could allow an attacker that was provisioned without access to the AuthValue to identify the AuthValue directly without brute-forcing its value (CVE-2020-26559).
Even when a randomly generated AuthValue with a full 128-bits of entropy is used, an attacker acquiring the Provisioner’s public key, provisioning confirmation value, and provisioning random value, and providing its public key for use in the provisioning procedure, will be able to compute the AuthValue directly.