37C3 - BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses

https://media.ccc.de/v/37c3-12342-blu... Breaking and fixing the Bluetooth standard. One More Time. Ciao! We present the BLUFFS attacks (CVE-2023-24023), six novel attacks breaking Bluetooth's forward and future secrecy. Our attacks enable device impersonation and machine-in-the-middle across sessions by compromising and re-using one session key. We discuss the four vulnerabilities in the Bluetooth specification enabling the attacks, two of which are new and related to unilateral and repeatable session key derivation. We describe the toolkit we developed and open-sourced to test our attacks via firmware binary patching, our experiments where we exploited 18 heterogeneous Bluetooth devices, and the practical and backward-compliant session key derivation protocol we built to fix the attacks by design. We also cover related work like KNOB, BIAS, and BLUR, and educational Bluetooth security tips and tricks. Bluetooth is a pervasive technology for wireless communication. Billions of devices use it in sensitive applications and to exchange private data. The security of Bluetooth depends on the Bluetooth standard and its two security mechanisms: pairing and session establishment. No prior work, including the standard itself, analyzed the future and forward secrecy guarantees of these mechanisms, e.g., if Bluetooth pairing and session establishment defend past and future sessions when the adversary compromises the current. To address this gap, we present six novel attacks, defined as the BLUFFS attacks, breaking Bluetooth sessions’ forward and future secrecy. Our attacks enable device impersonation and machine-in-the-middle across sessions by only compromising one session key. The attacks exploit two novel vulnerabilities that we uncover in the Bluetooth standard related to unilateral and repeatable session key derivation. As the attacks affect Bluetooth at the architectural level, they are effective regardless of the victim’s hardware and software details (e.g., chip, stack, version, and security mode). We also release BLUFFS, a low-cost toolkit to perform and automatically check the effectiveness of our attacks. The toolkit employs seven original patches to manipulate and monitor Bluetooth session key derivation by dynamically patching a closed-source Bluetooth firmware that we reverse-engineered. We show that our attacks have a critical and large-scale impact on the Bluetooth ecosystem, by evaluating them on seventeen diverse Bluetooth chips (eighteen devices) from popular hardware and software vendors and supporting the most popular Bluetooth versions. Motivated by our empirical findings, we develop and successfully test an enhanced key derivation function for Bluetooth that stops by-design our six attacks and their four root causes. We show how to effectively integrate our fix into the Bluetooth standard and discuss alternative implementation-level mitigations. We responsibly disclosed our contributions to the Bluetooth SIG. Daniele Antonioli https://events.ccc.de/congress/2023/h... #37c3 #Security