BIAS: Bluetooth Impersonation AttackS
A new Bluetooth security paper Bluetooth Impersonation AttackS (BIAS) shows how flaws in the Bluetooth spec can be used to perform a variant of the existing KNOB attack even after pairing. In a nutshell, the paper suggests that Secure Connections (SC) can be downgraded to Legacy Secure Connections and that Legacy Secure Connections do not require mutual authentication.
The good news is that the encryption key size check, that we added to BTstack to prevent the KNOB attack by the same author, also prevents the BIAS if the default encryption size of 128 bit is used. With a lower encryption key size, the KNOB attack becomes easier to mount, but brute-forcing the lower encryption key size (>= 56 bit) still requires significant computing power.
Also, Secure Connections (SC) for Bluetooth Classic isn’t the same as Secure Simple Pairing (SSP). When SC are supported on top of SSP, SSP uses the P-256 curve instead of the P-192. In addition, the AES-CCM encryption is used instead of the less secure E0 encryption (AES-CCM is used for Bluetooth LE).
We have updated BTstack to enable Secure Connections for Bluetooth Classic if supported by the Bluetooth Controller. Most newer controllers do, while the common USB Bluetooth 4.0 dongles (with CSR8510 or BCM/CYW27020 chipsets) or TI’s CC256x do not support it. Some further tests with devices on hand show that the Bluetooth Controller from a MacBook Pro 2016 doesn’t support it either, while the iPhone SE does.
Back to the paper. The author suggests to verify that a device, that supports Secure Connections (SC) during pairing, also supports SC in later connections to prevent BIAS attack. A further suggestion is to always perform the authenticate procedure.
We have implemented: – support for enable Secure Connections if supported by the Bluetooth Controller, – support for mutual authentication for Legacy Secure Connections, – detect Secure Connections->Legacy Secure Connection Downgrade (see BIAS paper) based on the encryption type (E0 vs. AES-CCM), – a second check for Secure Connections->Legacy Secure Connection downgrade attack based on remote features.