Apple devices vulnerable to new Bluetooth security hole attack

Macworld

Editor’s note: Updated 12/1/23 with a statement from Bluetooth SIG.

The academic research institution Eurecom has discovered security holes in the Bluetooth wireless standard that could allow a threat agent to impersonate devices and set up man-in-the middle attacks. The holes have been in several versions of the Bluetooth protocol, including the current 5.4 version, as well as the 5.3 version that’s used in Apple’s current hardware lineup.

Eurecom has developed a set of attacks called “Bluetooth Forward and Future Secrecy” (BLUFFS) that exploit the discovered Bluetooth weaknesses. According to a research paper by Eurecom’s Daniele Antonioli, “The attacks exploit two novel vulnerabilities that we uncover in the Bluetooth standard related to unilateral and repeatable session key derivation.”

“We show that our attacks have a critical and large-scale impact on the Bluetooth ecosystem,” wrote Antonioli, “by evaluating them on 17 diverse Bluetooth chips (18 devices) from popular hardware and software vendors and supporting the most popular Bluetooth versions.”

In order to execute the BLUFFS attacks, a threat agent needs to be within range of the target’s devices. BLUFFS exploits four flaws in the Bluetooth session key derivation process that an attacker can exploit and use to pretend to be one of the devices.

Antonioli provides direction for developers on how the security holes can be fixed. “We propose an enhanced Bluetooth session key derivation function that stops by-design our attacks and their root causes. Our countermeasure is backward compatible with the Bluetooth standard and adds minimal overheads.”

How to protect yourself

Considering that BLUFFS is part of a research project, users don’t have to worry about it being used in the wild. But Eurecom has exposed flaws in Bluetooth that have existed for some time.

The Bluetooth Special Interest Group is responsible for overseeing the development of the Bluetooth standard and will need to address these holes. In a statement posted to the Bluetooth.com website, SIG stated that, “For this attack to be successful, an attacking device needs to be within wireless range of two vulnerable Bluetooth devices initiating an encryption procedure using a link key obtained using BR/EDR Secure Connections pairing procedures,” SIG also recommends that “Implementations [should] reject service-level connections on an encrypted baseband link with key strengths below 7 octets. For implementations capable of always using Security Mode 4 Level 4, implementations should reject service-level connections on an encrypted baseband link with a key strength below 16 octets. Having both devices operating in Secure Connections Only Mode will also ensure sufficient key strength.”

Apple, for its part, can address some of these issues with operating system patches. So it’s important to install OS updates as soon as possible. The BLUFFS-related vulnerabilities have been recorded in the Nation Vulnerability Database as CVE-2023-24023; if/when Apple issues patches for this, the company should record them in its security releases document.

Users who want to take a proactive approach can turn off Bluetooth when it’s not in use. This can be done quickly on the iPhone, iPad, and Mac through Control Center.

iPad, iPhone, Mac, Security Software and Services