A new set of vulnerabilities known as BLUFFS (Bluetooth Forward and Future Secrecy) has been identified, posing a serious threat to the security of encrypted Bluetooth connections. The vulnerability has affecteda wide range of popular devices including smartphones, laptops, and audio accessories globally.
The existence of BLUFFS was brought to light by Daniele Antonioli, a security researcher from the French research institute Eurecom. Antonioli’s investigation uncovered six different techniques under the umbrella of BLUFFS, each capable of impersonating device identities and executing Man-in-the-Middle (MitM) attacks on encrypted Bluetooth connections. This discovery is alarming as it directly impacts the confidentiality of these connections.
Technical Insights: How BLUFFS Operates
BLUFFS exploits four distinct vulnerabilities, two of which were previously unknown and stem from fundamental flaws in the Bluetooth standard’s architecture. These vulnerabilities, registered as CVE-2023-24023, allow an attacker to force the generation of a short and predictable session key (SKC). With this vulnerability, an attacker can gain access to data traffic through brute-force attacks, decrypt previously intercepted data packets, and manipulate ongoing data traffic in real-time. The only requirement for the attacker is to be within Bluetooth range of the targeted devices.
Widespread Impact: Vulnerable Devices
The research conducted by Antonioli involved testing 18 different devices for their susceptibility to BLUFFS. And find out each device was vulnerable to at least three of the six BLUFFS attack techniques. This list includes popular smartphones, laptops, Bluetooth speakers, and headphones from major manufacturers like Apple, Google, Microsoft, Dell, Xiaomi, Logitech, and Bose. Notably, one specific technique, a MitM attack, proved effective on all tested devices. A toolkit for testing device vulnerability to BLUFFS is available on GitHub for those concerned about their devices’ security.
In response to the BLUFFS threat, the Bluetooth Special Interest Group (SIG) has issued recommendations to mitigate the risk. Developers are advised to reject connections with key strengths of less than seven octets, as brute-forcing a 7-octet key is unlikely to be feasible in real-time. For systems using Security Mode 4 Level 4, a minimum key strength of 16 octets is recommended. Devices operating in “Secure Connections Only” mode are expected to maintain adequate key strength, ensuring better protection.