Bluetooth SIG Statement Regarding the ‘Impersonation Attack in Bluetooth Mesh Provisioning’ Vulnerability
Researchers at the Agence nationale de la sécurité des systèmes d’information (ANSSI) and researchers at Purdue University have independently identified a security vulnerability related to provisioning in the Bluetooth® Mesh Profile Specification versions 1.0 and 1.0.1. These groups of researchers both identified that it was possible for an attacker without knowledge of the AuthValue, spoofing a device being provisioned, to use crafted responses to appear to possess the AuthValue and be issued a valid NetKey and potentially an AppKey.
For this attack to be successful, an attacking device needs to be within wireless range of a Mesh Provisioner and either spoof the identity of a device being provisioned over the air or be directly provisioned onto a subnet controlled by the provisioner. After successfully authenticating without the AuthValue, the attacker can perform any operation permitted to a node provisioned on the subnet until it is either denied access or a new subnet is formed without the attacking node present.
The Bluetooth SIG is recommending that potentially vulnerable mesh provisioners restrict the authentication procedure and not accept provisioning random and provisioning confirmation numbers from a remote peer that are the same as those selected by the local device.
The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.
For more information, please refer to the statement from the CERT Coordination Center.