Bluetooth SIG Statement Regarding the “Bluetooth Forward and Future Secrecy Attacks and Defenses (BLUFFS)” Vulnerability
Researchers at EURECOM have issued a report to the Bluetooth SIG that identifies that BR/EDR devices supporting Secure Connections pairing and Secure Simple Pairing in Bluetooth® Core Specifications 4.2 through 5.4, may be vulnerable to Man in The Middle (MITM) attacks between peers that have already paired or bonded using Secure Connections.
The researchers identified that a MITM attacker spoofing paired or bonded devices to one another may prompt both to establish a subsequent encryption procedure using legacy encryption and enter the Peripheral role, if not already in the peripheral role. This permits the MITM attacker to force the minimum permitted encryption key length supported by both devices and force the value of all the nonce values used to salt the generation of the encryption key. When the attack is successful, an attacker in proximity may ensure that the same encryption key is used for every session while in proximity and force the lowest supported encryption key length. Any conforming BR/EDR implementation is expected to be vulnerable to this attack on session key establishment, however, the impact may be limited by refusing access to host resources from a downgraded session, or by ensuring sufficient key entropy to make session key reuse of limited utility to an attacker. BR/EDR Secure Connections pairing was identified as not being vulnerable to this method of attack, as the attack requires a downgrade to a protocol not requiring mutual authentication.
If a reduced encryption key length can be negotiated, the MITM attacker may be able to brute force the encryption key by trial and error to permit decryption of the traffic between devices. As the same encryption key can be forced by the MITM for all encryption establishment while in proximity to the impacted peer devices if that encryption key can be brute forced, all prior and subsequent attacked sessions are also vulnerable to being decrypted. The recommended minimum encryption key length for BR/EDR encrypted sessions is 7 octets. Brute forcing of a 7-octet key is not anticipated to be possible in real-time during a session, however, an attacker able to co-locate with attacked devices may be able to record sufficient private traffic to make an attack on a single session key worthwhile. If a successful attacker can reduce the encryption key length below 7 octets, the attacker may be able to complete a brute forcing of the encryption key in real-time, permitting live injection attacks on traffic between the affected peers.
For this attack to be successful, an attacking device needs to be within wireless range of two vulnerable Bluetooth devices initiating an encryption procedure using a link key obtained using BR/EDR Secure Connections pairing procedures.
Implementations are advised to reject service-level connections on an encrypted baseband link with key strengths below 7 octets. For implementations capable of always using Security Mode 4 Level 4, implementations should reject service-level connections on an encrypted baseband link with a key strength below 16 octets. Having both devices operating in Secure Connections Only Mode will also ensure sufficient key strength.
Implementations should also track that a link key was established using BR/EDR Secure Connections in the Bluetooth Security Database and verify that any subsequent encryption establishment also uses Secure Connections. If encryption was not established in Secure Connections mode for a bonded peer that previously bonded using Secure Connections mode or if the negotiated encryption key size is too small, the link should be terminated.
