Security Notice

Embargoed Security Notice to Members Regarding the “Pairing Mode Confusion in BR/EDR” Vulnerability (CVE-2020-25837)

Researchers at the Agence nationale de la sécurité des systèmes d’information (ANSSI) have identified a security vulnerability related to Passkey authentication in BR/EDR Secure Simple Pairing and BR/EDR Secure Connections pairing when pairing with a device supporting BR/EDR Legacy PIN-Code pairing. The researchers found that it is possible for an attacking device to successfully intercede as a man-in-the-middle (MITM) between two pairing devices provided the attacker is able to negotiate a BR/EDR Legacy Pairing with the pairing Responder (which must support entry of a PIN code) and negotiate the use of the Passkey association model with the pairing Initiator (which must support display or entry of a Passkey). The user must either erroneously enter the Passkey displayed by the Initiator into the Responder as a 6-digit Passkey/Pin-Code or enter the same 6-digit Passkey/Pin-Code into both the Initiator and the Responder. This permits the attacker to identify the Pin-Code entered into the Responder by a real-time brute-force search and then use that value as the Passkey to complete authenticated pairing with the Initiator. This permits a MTIM attack on the Secure Simple Pairing Passkey pairing procedure or Secure Connections Passkey pairing procedure even if operating in Secure Connections Only Mode.

For this attack to be successful, an attacking device would to be within wireless range of two Bluetooth devices that were establishing a BR/EDR encrypted connection without existing shared credentials (a link key). At least one of the two devices must support the Passkey association model and the other must both support legacy PIN-Code pairing.

It is anticipated that there exist devices that display the PIN-Code entry (generally referred to as a Passkey in the UI) in a manner that does not clearly differentiate between the Passkey and a BR/EDR PIN-Code. Confusion on the part of the user performing pairing may result in the devices becoming authenticated with the attacker instead of with one another.

The Bluetooth SIG is making the following recommendations for circumventing this attack: Where a Central and Peripheral device both enforce Secure Connections Only Mode, a MITM will not be able to force BR/EDR Legacy PIN-Code pairing with either device. This will prevent a MITM from succeeding at this attack. Where at least one of the devices supporting pairing either requires support for BR/EDR Legacy pairing or does not support BR/EDR Secure Connections pairing, it will not be possible to enforce Secure Connections Only Mode.

As a user must erroneously use the same Passkey on the device performing BR/EDR Secure Connections Passkey pairing as on the device performing BR/EDR Legacy PIN-Code pairing, it is recommended where possible that devices supporting and using BR/EDR Legacy PIN-code pairing clearly indicate that a legacy pairing mode is in use and devices supporting and using BR/EDR Secure-Connections pairing clearly indicate that Secure-Connections pairing mode is use. Language in a UI or in documentation that clearly differentiates between these association models may help avoid a user erroneously treating one Passkey as the other.