BLUFFS Bluetooth Attacks Pose Major Threat: A Researcher’s Study

November 29, 2023

Daniele Antonioli, an assistant professor at EURECOM, has unveiled a series of new attacks that compromise the forward and future secrecy of Bluetooth sessions. By breaching a session key, an attacker can mimic devices and establish man-in-the-middle attacks, thereby undermining the security mechanisms of Bluetooth's pairing and session establishment. These attacks, known as BLUFFS (Bluetooth Forward and Future Secrecy), exploit two fresh vulnerabilities in Bluetooth, impacting the unilateral and repeatable derivation of session keys.

Antonioli tested these attacks on 17 different Bluetooth chips, revealing a significant impact on the ecosystem. He states, “As the attacks affect Bluetooth at the architectural level, they are effective regardless of the victim’s hardware and software details.” The BLUFFS attacks allow a hacker to force the session encryption key in real time, enabling them to launch live injection attacks on traffic between the targeted devices, as per the Bluetooth Special Interest Group (SIG), which assigned CVE-2023-24023 to the issue.

The researcher has also made available a low-cost toolkit that uses seven patches for manipulating and observing the derivation of Bluetooth session keys. Furthermore, Antonioli developed an improved key derivation function for Bluetooth that safeguards against all six attacks and their underlying causes, and can be incorporated into the standard.

The BLUFFS attacks are predicated on the assumption that an attacker within Bluetooth range of two victim devices can capture packets in plaintext, knows the victim’s Bluetooth address, can create packets, and negotiate arbitrary capabilities. The attack scenario assumes that the adversary is targeting the current Bluetooth session of the victim device, and that they can reuse a weak session key to decrypt both past and future messages.

According to Antonioli, the BLUFFS attacks stem from four architectural vulnerabilities related to Bluetooth session establishment, including two novel issues that allow the derivation of the same key across sessions. The researcher found that all tested chips and devices were susceptible to the newly devised attacks, stating that the “BLUFFS attacks are practical and have a large-scale impact on the Bluetooth ecosystem.” The Bluetooth SIG was informed about the attack methods in October 2022, and tech giants such as Google, Intel, Apple, Qualcomm, and Logitech have also been notified. Several of them have confirmed they are working on fixes.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.