BLUFFS: Impersonating BR/EDR Devices Using Fixed Weak Session Encryption Key

Over the years, the security mechanism used in BR/EDR (Classic) have evolved from Legacy Pairing over Secure Simple Pairing to the current Secure Connections. While basically all Bluetooth devices support Secure Simple Pairing, only newer devices support Secure Connections. However, all Bluetooth devices are backwards compatible such that any two device can pair and connect with each other.

This backwards-compatibility also allows an attacker to trigger Legacy Pairing authentication when connecting to a device that supports Secure Connections. New research presented in the BLUFFS paper shows how attacker can impersonate a previously bonded device, trigger Legacy Pairing authentication, and enforce a fixed weak session encryption key. The fixed session key (7 bytes) can then be brute-forced offline (in weeks to months) and then used to decrypt man-in-the-middle sessions from the past or fully impersonate the bonded device in the future.

Vulnerability

Basically all BR/EDR devices that allow for an encryption key size of 7 or less are vulnerable to the BLUFFS attacks. Devices that require an encryption key size of 16 either by explicit configuration or because they are configured for Security Mode 4 Level 4 avoid the attacks as the 16 byte session key cannot be brute-forced in the near future.

Since the KNOB attack in 2019, BTstack both prevents downgrade attacks by tracking if Secure Connections was used during bonding as well as verifies the encryption key length and rejects encryption keys shorter than 16 bytes by default.

Action

If you’re using a version of BTstack older than v1.1 (October 2020), it’s time to update to the latest version.

References

AVRCP Cover Art in iOS / Android
USB Adapter for Intel Bluetooth/Wifi M.2 Cards