Exploiting and Fixing the Bluetooth Standard

Bluetooth is a ubiquitous technology for low-power wireless communications. It is employed by billions of devices, including smartphones, laptops, wearables, and cars. As a technology, Bluetooth is specified in an open and quite complex standard. The standard defines two Bluetooth flavors; Bluetooth Classic (BC) for high throughput services and Bluetooth Low Energy (BLE) for low power ones. In addition, it specifies pairing (i.e., bootstrapping) and session establishment security mechanisms to protect the confidentiality, integrity, and authenticity of Bluetooth communication. One vulnerability in these mechanisms can be exploited on all Bluetooth devices as they must be compliant with the Bluetooth standard.

This talk revisits our recent work about uncovering, exploiting, and fixing three critical vulnerabilities in the Bluetooth standard affecting BT and BLE. The vulns are KNOB (CVE-2019-9506), BIAS (CVE-2020-10135), and BLUR (CVE-2020-15802). KNOB affects both BT and BLE and enables to weaken and brute force Bluetooth’s cryptographic keys. BIAS affects BT and allows to bypass Bluetooth’s authentication. BLUR exploits the boundary between BT and BLE and results in cross-transport exploitation of BT and BLE. Despite our reports to the Bluetooth consortium (SIG), the presented vulnerabilities are either not patched or partially fixed.