Method Confustion Attack on Bluetooth Pairing
LE Secure Connections uses the Passkey entry method to prevent MITM attacks. However, the new ‘Method Confusion Attack’ shows that a MITM attack is possible although the user perceives pairing using the Passkey-Entry method. In this attack, the MITM uses the number generated by Numeric Comparison with one device for Passkey entry with the other, hence providing the illusion that the connection is secure.
Quick summary of the attack:
- The Initiator accidentally connects to an MITM and the Numeric Comparison pairing method is selected. Numeric Comparison uses the Diffie-Hellman procedure to securely establish a secret on both devices. The initiator devices then shows a number derived from the secret on its display.
- Now, the MITM connects to the original Responder device and triggers pairing with Passkey entry using the number created in the step before for Numeric Comparison (and currently displayed on the Initiator device).
- The Responder device will ask the user for Passkey entry, and the user then enters the number displayed on the Initiator device, not knowing that this number was only intended for Numeric Comparison.
So, while the user did enter the number shown on the Initiator device on the Responder device, the MITM is able to intercept all messages.
It obviously depends on how you’re device is configured. E.g. if your device is an LE Peripheral and does not provide support for Passkey Entry, i.e. it has no numeric keyboard, it is not vulnerable to this attack (as there’s no Passkey entry possible).
The authors propose different fixes. Without changes to the Bluetooth specification, there are only limited options. If both devices are from the same vendor, it’s possible to fix the pairing method. For the Initiator, it would help to let the user know which pairing method is used incl. a warning, e.g. “Numeric Comparison: XXXXXX, don’t enter this number on another device”.