Supplementary Bluetooth SIG Statement Regarding the ‘Impersonation in the Passkey Entry Protocol’ Vulnerability
A device supporting the Passkey Entry association model in BR/EDR Secure Simple Pairing in Bluetooth® Core Specifications 2.1 through 5.4, BR/EDR Secure Connections Pairing in Bluetooth Core Specifications 4.1 through 5.4, and LE Secure Connections Pairing in Bluetooth Core Specifications 4.2 through 5.4 may be vulnerable to the ‘Impersonation in the Passkey Entry Protocol’ vulnerability (CVE-2020-26558) if a device accepts a public key offered by the remote peer with the same X coordinate as the public key that it provided to the peer (e.g., a key with same absolute X and Y coordinate value but with a Y coordinate value with the opposite sign).
A man-in-the-middle (MITM) attacker between an Initiating and Responding pairing device may respond to the Initiating device with a public key with an X coordinate matching that of the peer and use crafted responses to determine the Passkey used during the pairing session and complete an authenticated pairing procedure with the Initiating device and the Responding device being attacked. The method for an MITM to succeed at this attack follows the procedure described in the original ‘Impersonation in the Passkey Entry Protocol’ vulnerability report, with a small variation to account for the modified value of the peer public key.
For the attack to be successful, an attacking device will also need to be within wireless range of two vulnerable Bluetooth devices initiating pairing or bonding where a BR/EDR IO Capabilities (Input/Output Capabilities) exchange or LE IO Capability in the pairing request and response results in the selection of the Passkey pairing procedure.
Bluetooth® Core Specification 5.4 recommends that a device fail a pairing procedure if the public key X coordinate offered by a peer matches that of the local device (except in the special case where a debug key is in use). Bluetooth® Core Specification 6.0 makes this check mandatory.
It is recommended that implementations follow the latest recommendations for the acceptance of public keys when implementing BR/EDR Secure Simple Pairing, BR/EDR Secure Connections pairing, or LE Secure Connections pairing in Bluetooth® Core Specifications 5.4 and earlier.