Headline
CVE-2023-24023: Security Notice | Bluetooth® Technology Website
Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.
Bluetooth SIG Statement Regarding the “Bluetooth Forward and Future Secrecy Attacks and Defenses (BLUFFS)” Vulnerability
Researchers at EURECOM have issued a report to the Bluetooth SIG that identifies that BR/EDR devices supporting Secure Connections pairing and Secure Simple Pairing in Bluetooth® Core Specifications 4.2 through 5.4, may be vulnerable to Man in The Middle (MITM) attacks between peers that have already paired or bonded using Secure Connections.
The researchers identified that a MITM attacker spoofing paired or bonded devices to one another may prompt both to establish a subsequent encryption procedure using legacy encryption and enter the Peripheral role, if not already in the peripheral role. This permits the MITM attacker to force the minimum permitted encryption key length supported by both devices and force the value of all the nonce values used to salt the generation of the encryption key. When the attack is successful, an attacker in proximity may ensure that the same encryption key is used for every session while in proximity and force the lowest supported encryption key length. Any conforming BR/EDR implementation is expected to be vulnerable to this attack on session key establishment, however, the impact may be limited by refusing access to host resources from a downgraded session, or by ensuring sufficient key entropy to make session key reuse of limited utility to an attacker.
If a reduced encryption key length can be negotiated, the MITM attacker may be able to brute force the encryption key by trial and error to permit decryption of the traffic between devices. As the same encryption key can be forced by the MITM for all encryption establishment while in proximity to the impacted peer devices if that encryption key can be brute forced, all prior and subsequent attacked sessions are also vulnerable to being decrypted. The recommended minimum encryption key length for BR/EDR encrypted sessions is 7 octets. Brute forcing of a 7-octet key is not anticipated to be possible in real-time during a session, however, an attacker able to co-locate with attacked devices may be able to record sufficient private traffic to make an attack on a single session key worthwhile. If a successful attacker can reduce the encryption key length below 7 octets, the attacker may be able to complete a brute forcing of the encryption key in real-time, permitting live injection attacks on traffic between the affected peers.
For this attack to be successful, an attacking device needs to be within wireless range of two vulnerable Bluetooth devices initiating an encryption procedure using a link key obtained using BR/EDR Secure Connections pairing procedures.
Implementations are advised to reject service-level connections on an encrypted baseband link with key strengths below 7 octets. For implementations capable of always using Security Mode 4 Level 4, implementations should reject service-level connections on an encrypted baseband link with a key strength below 16 octets. Having both devices operating in Secure Connections Only Mode will also ensure sufficient key strength.
Related news
Red Hat Security Advisory 2024-2394-03 - An update for kernel is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution, double free, integer overflow, memory exhaustion, memory leak, null pointer, out of bounds access, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.
Ubuntu Security Notice 6742-2 - Daniele Antonioli discovered that the Secure Simple Pairing and Secure Connections pairing in the Bluetooth protocol could allow an unauthenticated user to complete authentication without pairing credentials. A physically proximate attacker placed between two Bluetooth devices could use this to subsequently impersonate one of the paired devices. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.
New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers. The issues, collectively named BLUFFS, impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8)