Breaking and Fixing the Bluetooth Standard

Bluetooth is a ubiquitous technology for low-power wireless communications employed by billions of devices, including mobiles, wearables, and cars. Bluetooth is specified in a complex yet open standard that defines two transports: Bluetooth Classic (BC) for high throughput services and Bluetooth Low Energy (BLE) for very low power services. Being a pervasive technology, Bluetooth exposes a broad attack surface. Moreover, successful attacks on Bluetooth can achieve high-impact goals, such as identity thefts, privacy violations, and malicious device control. The security of Bluetooth communication heavily depends on the Bluetooth standard, which defines “standard-compliant” security mechanisms to protect the confidentiality, integrity, and availability of Bluetooth communications. Those mechanisms include pairing and secure session establishment protocols used to establish keys and protect the communication.

This talk revisits our recent work about uncovering, exploring, and fixing three critical vulnerabilities in the Bluetooth standard. The vulnerabilities affect both BC and BLE, and we named them. KNOB (CVE-2019-9506), BIAS (CVE-2020-10135) and BLUR (CVE-2020-15802). As these vulnerabilities are standard-compliant (i.e., exploit specification flaws in the Bluetooth standard), they are effective on any Bluetooth device regardless of its hardware and software details. For example, in our experiments, we successfully exploited KNOB, BIAS, and BLUR on a broad set of devices, including Apple, Broadcom, Cypress, CSR, Google, Intel, Microsoft, and Qualcomm. Additionally, we successfully targeted all the major Bluetooth versions currently in the market (e.g., 4.0, 4.1, 4.2, 5.0, 5.1, and 5.2).

Despite our reports to the Bluetooth consortium, the presented vulnerabilities are either not patched or partially fixed. Indeed, more work has to be done to secure the Bluetooth standard from its foundations.