New Bluetooth Attack Allows Simulating Another Device

New Bluetooth Attack

Experts from the National Agency for Information Systems Security (ANSSI) have discovered a new attack on Bluetooth that allows them simulating another device.

The researchers said that there were problems in the Bluetooth Core and Mesh Profile specifications that allow an attacker to impersonate a legitimate device during pairing, as well as launch man-in-the-middle attacks (of course, while in range of a wireless network).

Specialists from the Bluetooth Special Interest Group (Bluetooth SIG) have already published detailed description of all seven discovered bugs, as well as recommendations for their elimination.

According to CERT/CC, Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology and Cradlepoint products are vulnerable to at least some of these problems. About a dozen more manufacturers confirmed that their products were not affected, and the solutions of about 200 other suppliers may be vulnerable, but their exact status is still unknown.

It is reported that the AOSP developers are already working on fixes for the vulnerabilities CVE-2020-26555 and CVE-2020-26558 affecting Android devices. The patches should be included in the next Android security bulletin.

Cisco is also working to resolve issues CVE-2020-26555 and CVE-2020-26558 affecting its products. The company tracks these vulnerabilities as PSIRT-0503777710.

To use CVE-2020-26555, an attacker must be able to identify [the address of the vulnerable Bluetooth device] before he can launch an attack. If successful, the attacker will be able to complete the pairing with a known link key, establish an encrypted connection with the vulnerable device, and gain access to any profiles available through pairing with a remote device that supports Legacy Pairing.Bluetooth SIG experts explain.

As for the CVE-2020-26558 issue, the attacker must be within range of two paired Bluetooth devices and authenticate one of the devices on his own device.

This vulnerability could allow an attacker to authenticate to the response victim device and act as a legitimate encrypted device. The attacker cannot pair with the initiating device using this method of attack, which prevents a fully transparent man-in-the-middle attack between the initiator and responder.the experts say.

The Bluetooth SIG recommends that potentially vulnerable network providers restrict authentication and do not accept the provision of random and acknowledgment numbers from a remote host that match the numbers selected by the local device.

Let me remind you that I reported that Google and Intel experts warn of dangerous Bluetooth bugs in Linux.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *