French intel found flaws in Bluetooth Core and Mesh specs

Attackers could exploit a set of Bluetooth vulnerabilities, affecting the Core and Mesh Profile specifications, to conduct man-in-the-middle (MitM) attacks.

Researchers at the french intelligence agency ANSSI discovered multiple flaws in the Bluetooth Core and Mesh Profile specifications that could be used to impersonate legitimate devices during the pairing process and conduct man-in-the-middle (MitM) attacks while within wireless range of vulnerable devices.

All the devices supporting Bluetooth Core and Mesh specifications are affected by the above issues and are vulnerable to impersonation attacks and AuthValue disclosure.

Researchers identified a vulnerability affecting the Passkey authentication in BR/EDR Secure Simple Pairing in Bluetooth Core Specifications 2.1 through 5.2, BR/EDR Secure Connections Pairing in Bluetooth Core Specifications 4.1 through 5.2 and LE Secure Connections Pairing in Bluetooth Core Specifications 4.2 through 5.2. The experts discovered that attackers in a MITM position were able to use a crafted series of responses to determine each bit of the randomly generated Passkey selected by the pairing initiator in each round of the pairing procedure. Once the bits composing the Passkey were identified during the same pairing session an attack could complete the authenticated pairing process with the responder.

“After successful completion of the authentication procedure, the responder will be authenticated to the attacker rather than the initiator, permitting the attacker to act in the role of an encrypted and authenticated peer. The attacker does not succeed in pairing with the initiator by this method, preventing a fully transparent MITM attack on the pairing procedure between the initiator and responder.” reads the advisory published by the Bluetooth SIG.

“For this attack to be successful, an attacking device needs to be within wireless range of two vulnerable Bluetooth devices initiating pairing or bonding where a BR/EDR IO Capabilities exchange or LE IO Capability in the pairing request and response results in the selection of the Passkey pairing procedure.”

The Bluetooth Special Interest Group (SIG) published security notices about the flaws, below the full list of the issues:

Vulnerability Publication Date Details Specifications Affected CVE [NVD]
Bluetooth Mesh Profile AuthValue leak 05/24/2021 SIG Security Notice Mesh Profile Spec, v1.0 to v1.0.1 CVE-2020-26559
Malleable commitment in Bluetooth Mesh Profile provisioning 05/24/2021 SIG Security Notice Mesh Profile Spec, v1.0 to v1.0.1 CVE-2020-26556
Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITM 05/24/2021 SIG Security Notice Mesh Profile Spec, v1.0 to v1.0.1 CVE-2020-26557
Impersonation attack in Bluetooth Mesh Profile provisioning 05/24/2021 SIG Security Notice Mesh Profile Spec, v1.0 to v1.0.1 CVE-2020-26560
Impersonation in the BR/EDR pin-pairing protocol 05/24/2021 SIG Security Notice Core Spec, v1.0B to 5.2 CVE-2020-26555
Authentication of the Bluetooth LE legacy-pairing protocol 05/24/2021 SIG Security Notice Core Spec, v4.0 to 5.2 N/A
Impersonation in the Passkey entry protocol 05/24/2021 SIG Security Notice Core Spec, v2.1 to 5.2 CVE-2020-26558

The Carnegie Mellon CERT Coordination Center (CERT/CC) also published an advisory that includes the list of the impacted vendors, such as Cisco, Microchip, Red Hat, Intel, and Android.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, mobile)

The post French intel found flaws in Bluetooth Core and Mesh specs appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source