Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack

[embedded content]

Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices.

The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the Bluetooth protocol, also known as Basic Rate / Enhanced Data Rate, Bluetooth BR/EDR, or just Bluetooth Classic.

The BIAS attack

The BIAS security flaw resides in how devices handle the link key, also known as a long-term key.

Coinbase 2

This key is generated when two Bluetooth devices pair (bond) for the first time. They agree on a long-term key, which they use to derive session keys for future connections without having to force device owners to go through the long-winded pairing process every time the Bluetooth devices need to communicate.

Researchers said they found a bug in this post-bonding authentication process. The flaw can allow an attacker to spoof the identity o a previously paired/bonded device and successfully authenticate and connect to another device without knowing the long-term pairing key that was previously established between the two.

Once a BIAS attack is successful, the attacker can then access or take control of another Bluetooth Classic device.

The research team said they tested the attack against a wide range of devices, including smartphones (iPhone, Samsung, Google, Nokia, LG, Motorola), tablets (iPad), laptops (MacBook, HP Lenovo), headphones (Philips, Sennheiser), and system-on-chip boards (Raspberry Pi, Cypress).

bias-results.png
Image: Antonioli et. al

“At the time of writing, we were able to test [Bluetooth] chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack,” researchers said.

“Because this attack affects basically all devices that ‘speak Bluetooth,’ we performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth SIG) – the standards organisation that oversees the development of Bluetooth standards – in December 2019 to ensure that workarounds could be put in place,” the team added.

In a press release published today, the Bluetooth SIG said they have updated the Bluetooth Core Specification to prevent BIAS attackers from downgrading the Bluetooth Classic protocol from a “secure” authentication method to a “legacy” authentication mode, where the BIAS attack is successful.

Vendors of Bluetooth devices are expected to roll out firmware updates in the coming months to fix the issue. The status and availability of these updates is currently unclear, even for the research team.

BIAS + KNOB

The academic team behind the BIAS attack includes Daniele Antonioli from the Swiss Federal Institute of Technology in Lausanne (EPFL), Kasper Rasmussen from the CISPA Helmholtz Center for Information Security in Germany, and Nils Ole Tippenhauer from the University of Oxford, thh UK.

They are the same team who discovered and disclosed the KNOB (Key Negotiation of Bluetooth) attack in the summer of 2019.

The research team said that if an attacker combines BIAS and KNOB, they can break the authentication even on Bluetooth Classic devices running in a secure authentication mode.

As such, Bluetooth-capable devices must receive patches against both the BIAS (CVE-2020-10135) and KNOB (CVE-2019-9506) attacks to be fully secure.

Additional details about the BIAS attack are available on the vulnerability’s official website or in a research paper titled “BIAS: Bluetooth Impersonation AttackS” [PDF].

Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack 1
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

Leave a Reply

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 34,130.00
ethereum
Ethereum (ETH) $ 1,972.84
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 306.33
cardano
Cardano (ADA) $ 1.35
dogecoin
Dogecoin (DOGE) $ 0.239886
xrp
XRP (XRP) $ 0.653529
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 16.17
binance-usd
Binance USD (BUSD) $ 1.00
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 34,130.00
ethereumEthereum (ETH)
$ 1,972.84
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 487.08
litecoinLitecoin (LTC)
$ 133.41
bitcoinBitcoin (BTC)
28.623,98
ethereumEthereum (ETH)
1.654,57
tetherTether (USDT)
0,838675
bitcoin-cashBitcoin Cash (BCH)
408,50
litecoinLitecoin (LTC)
111,89
bitcoinBitcoin (BTC)
24,503.46
ethereumEthereum (ETH)
1,416.39
tetherTether (USDT)
0.717945
bitcoin-cashBitcoin Cash (BCH)
349.70
litecoinLitecoin (LTC)
95.78

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021
Crypto Scams On The Rise As Market Enters Bull Cycle
Crypto Scams On The Rise As Market Enters Bull Cycle
December 22, 2020
Harpreet Singh Sahni perpetrated the Plus Gold Union Coin (PGUC) scam
Sydney Concert Promoter Harpreet Sahni Involved In $50M Crypto PGUC Scam
November 2, 2020
KuCoin hackers steal $150 million
KuCoin Exchange Hacked But Insurance Will Cover The Stolen $150M
September 29, 2020
Mining City insists that it is legit
Mining City Refutes Claims By Philippines SEC Of Being A Scam
September 23, 2020

Blockchain/Cryptocurrency Questions and Answers

What Is Plethori Platform And How Does It Work?
June 12, 2021
What Is The Fudge Token?
What Is The Fudge Token?
June 5, 2021
What Is Shiba Inu (SHIB) Cryptocurrency And How Does It Work?
What Is Shiba Inu (SHIB) Cryptocurrency And How Does It Work?
May 31, 2021
What Is PancakeSwap And How Does It Work?
What Is PancakeSwap And How Does It Work?
May 27, 2021
How Has Internet Computer (ICP) Become A Top-10 Crypto?
How did “Internet Computer Coin”(ICP) Become A Top-5 Crypto?
May 19, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin34,489 1.12 % 2.70 % 10.00 %
Ethereum1,999.4 1.39 % 1.00 % 15.49 %
Tether1.000 0.03 % 0.39 % 0.45 %
Binance Coin309.07 1.36 % 5.92 % 10.79 %
Cardano1.370 1.49 % 9.22 % 7.51 %
Dogecoin0.2435 1.85 % 4.14 % 20.76 %
XRP0.6589 0.98 % 4.98 % 21.17 %
USD Coin1.010 0.27 % 0.42 % 0.49 %
Polkadot16.34 1.34 % 2.41 % 28.43 %
Binance USD1.010 0.51 % 1.60 % 1.00 %

bitcoin
Bitcoin (BTC) $ 34,130.00
ethereum
Ethereum (ETH) $ 1,972.84
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 306.33
cardano
Cardano (ADA) $ 1.35
dogecoin
Dogecoin (DOGE) $ 0.239886
xrp
XRP (XRP) $ 0.653529
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 16.17
binance-usd
Binance USD (BUSD) $ 1.00