Daniele Antonioli, a Bluetooth security researcher who previously developed the BIAS, BLUR and KNOB attack techniques, has identified two new vulnerabilities (CVE-2023-24023) in the Bluetooth session negotiation mechanism, affecting all Bluetooth implementations that support Secure Connections modes. " and "Secure Simple Pairing", complying with Bluetooth Core 4.2-5.4 specifications. As a demonstration of the practical application of the identified vulnerabilities, 6 attack options have been developed that allow us to wedge into the connection between previously paired Bluetooth devices. The code with the implementation of attack methods and utilities for checking for vulnerabilities are published on GitHub.
The vulnerabilities were identified during the analysis of the mechanisms described in the standard for achieving forward secrecy (Forward and Future Secrecy), which counteract the compromise of session keys in the case of determining a permanent key (compromising one of the permanent keys should not lead to the decryption of previously intercepted or future sessions) and reuse of session keys keys (a key from one session should not be applicable to another session). The vulnerabilities found make it possible to bypass the specified protection and reuse an unreliable session key in different sessions. The vulnerabilities are caused by flaws in the base standard, are not specific to individual Bluetooth stacks, and appear in chips from different manufacturers.
The proposed attack methods implement different options for organizing spoofing of classic (LSC, Legacy Secure Connections based on outdated cryptographic primitives) and secure (SC, Secure Connections based on ECDH and AES-CCM) Bluetooth connections between the system and a peripheral device, as well as organizing MITM connections. attacks for connections in LSC and SC modes. It is assumed that all Bluetooth implementations that comply with the standard are susceptible to some variant of the BLUFFS attack. The method was demonstrated on 18 devices from companies such as Intel, Broadcom, Apple, Google, Microsoft, CSR, Logitech, Infineon, Bose, Dell and Xiaomi.
The essence of the vulnerabilities boils down to the ability, without violating the standard, to force a connection to use the old LSC mode and an unreliable short session key (SK), by specifying the minimum possible entropy during the connection negotiation process and ignoring the contents of the response with authentication parameters (CR), which leads to the generation of a session key based on permanent input parameters (the session key SK is calculated as the KDF from the permanent key (PK) and parameters agreed upon during the session). For example, during a MITM attack, an attacker can replace the parameters 𝐴𝐶 and 𝑆𝐷 with zero values during the session negotiation process, and set the entropy 𝑆𝐸 to 1, which will lead to the formation of a session key 𝑆𝐾 with an actual entropy of 1 byte (the standard minimum entropy size is 7 bytes (56 bits), which is comparable in reliability to DES key selection).
If the attacker managed to achieve the use of a shorter key during the connection negotiation, then he can use brute force to determine the permanent key (PK) used for encryption and achieve decryption of traffic between devices. Since a MITM attack can trigger the use of the same encryption key, if this key is found, it can be used to decrypt all past and future sessions intercepted by the attacker.
To block vulnerabilities, the researcher proposed making changes to the standard that expand the LMP protocol and change the logic of using KDF (Key Derivation Function) when generating keys in LSC mode. The change does not break backwards compatibility, but does cause the extended LMP command to be enabled and an additional 48 bytes to be sent. The Bluetooth SIG, which is responsible for developing Bluetooth standards, has proposed rejecting connections over an encrypted communication channel with keys up to 7 bytes in size as a security measure. Implementations that always use Security Mode 4 Level 4 are encouraged to reject connections with keys up to 16 bytes in size.
Source: opennet.ru