Daniele Antonioli, wani mai binciken tsaro na Bluetooth wanda a baya ya haɓaka dabarun kai hari na BIAS, BLUR da KNOB, ya gano sabbin lahani guda biyu (CVE-2023-24023) a cikin tsarin tattaunawar zaman Bluetooth, yana shafar duk aiwatar da Bluetooth wanda ke goyan bayan hanyoyin Haɗin Tsaro. "Amintacce Sauƙaƙe Haɗin Kan", yana bin ƙayyadaddun bayanai na Bluetooth Core 4.2-5.4. A matsayin nunin aikace-aikacen aikace-aikacen da aka gano na lahani, an ƙirƙiri zaɓuɓɓukan hari guda 6 waɗanda ke ba mu damar shiga haɗin kai tsakanin na'urorin Bluetooth da aka haɗa a baya. Ana buga lambar tare da aiwatar da hanyoyin kai hari da abubuwan amfani don bincika raunin rauni akan GitHub.
An gano raunin da ya faru a yayin nazarin hanyoyin da aka bayyana a cikin ma'auni don cimma sirrin gaba (Sirrin Gaba da Gaba), wanda ke magance rikice-rikice na makullin zama a cikin yanayin ƙayyade maɓalli na dindindin (lalata ɗaya daga cikin maɓallan dindindin bai kamata ya jagoranci ba. zuwa ɓoye bayanan da aka kama a baya ko na gaba) da sake amfani da maɓallan maɓallan zaman (maɓalli daga zaman ɗaya bai kamata ya dace da wani zaman ba). Lalacewar da aka samu sun ba da damar ƙetare ƙayyadaddun kariyar da sake amfani da maɓallin zaman da ba abin dogaro ba a cikin zama daban-daban. Rashin lahani yana haifar da lahani a cikin ma'auni na tushe, ba su keɓance ga maƙallan Bluetooth ɗaya ba, kuma suna bayyana cikin guntu daga masana'antun daban-daban.
Hanyoyin harin da aka gabatar suna aiwatar da zaɓuɓɓuka daban-daban don tsara haɗin kai na al'ada (LSC, Legacy Secure Connections dangane da tsoffin bayanan sirri) da amintaccen (SC, Haɗin Amintaccen dangane da ECDH da AES-CCM) haɗin haɗin Bluetooth tsakanin tsarin da na'urar gefe, kamar yadda da kuma tsara haɗin MITM. hare-hare don haɗin kai a cikin LSC da SC. Ana ɗauka cewa duk aiwatar da Bluetooth da suka dace da ƙa'idar suna da sauƙi ga wasu bambance-bambancen harin BLUFFS. An nuna hanyar akan na'urori 18 daga kamfanoni irin su Intel, Broadcom, Apple, Google, Microsoft, CSR, Logitech, Infineon, Bose, Dell da Xiaomi.
Mahimmancin raunin ya gangara zuwa iyawa, ba tare da keta ma'auni ba, don tilasta haɗi don amfani da tsohuwar yanayin LSC da maɓallin gajeren zaman da ba amintacce ba (SK), ta hanyar ƙayyadaddun mafi ƙarancin yuwuwar entropy yayin aiwatar da tattaunawar haɗin gwiwa da yin watsi da Abubuwan da ke cikin amsa tare da sigogi na tantancewa (CR), wanda ke haifar da ƙirƙirar maɓallin zaman dangane da sigogin shigarwa na dindindin (ana ƙididdige maɓallin SK azaman KDF daga maɓalli na dindindin (PK) da sigogin da aka amince da su yayin zaman) . Misali, yayin harin MITM, mai hari zai iya maye gurbin sigogi 𝐴𝐶 da 𝑆𝐷 tare da ƙimar sifili yayin tsarin tattaunawar zaman, kuma ya saita entropy 𝑆𝐸 zuwa 1, wanda zai haifar da samuwar maɓallin zama entropy na 1 byte (madaidaicin girman girman entropy shine 7 bytes (56 rago), wanda yayi daidai da amincin zaɓin maɓallin DES).
Idan maharin ya sami nasarar yin amfani da gajeriyar maɓalli yayin tattaunawar haɗin gwiwa, to yana iya amfani da ƙarfi don tantance maɓalli na dindindin (PK) da aka yi amfani da shi don ɓoyewa da cimma ɓarnawar zirga-zirga tsakanin na'urori. Tunda harin MITM na iya haifar da amfani da maɓalli iri ɗaya, idan an sami wannan maɓalli, ana iya amfani da shi don warware duk zaman da maharin ya kama.
Don toshe rashin lahani, mai binciken ya ba da shawarar yin canje-canje ga ma'aunin da ke faɗaɗa ƙa'idar LMP da canza dabaru na amfani da KDF (Key Derivation Aiki) lokacin samar da maɓalli a yanayin LSC. Canjin baya karya daidaituwar baya, amma yana sa tsawaita umarnin LMP da aika ƙarin 48 bytes. Bluetooth SIG, wanda ke da alhakin haɓaka ƙa'idodin Bluetooth, ya ba da shawarar ƙin haɗin kai akan hanyar sadarwar rufaffiyar tare da maɓallai har zuwa bytes 7 a girman girman tsaro. Ayyukan da koyaushe suke amfani da Yanayin Tsaro 4 Mataki na 4 ana ƙarfafa su don ƙin haɗawa tare da maɓallai har zuwa 16 bytes a girman.
source: budenet.ru