Attackers could exploit a set of Bluetooth vulnerabilities, affecting the Core and Mesh Profile specifications, to conduct man-in-the-middle (MitM) attacks.

Researchers at the french intelligence agency ANSSI discovered multiple flaws in the Bluetooth Core and Mesh Profile specifications that could be used to impersonate legitimate devices during the pairing process and conduct man-in-the-middle (MitM) attacks while within wireless range of vulnerable devices.

All the devices supporting Bluetooth Core and Mesh specifications are affected by the above issues and are vulnerable to impersonation attacks and AuthValue disclosure.

Researchers identified a vulnerability affecting the Passkey authentication in BR/EDR Secure Simple Pairing in Bluetooth Core Specifications 2.1 through 5.2, BR/EDR Secure Connections Pairing in Bluetooth Core Specifications 4.1 through 5.2 and LE Secure Connections Pairing in Bluetooth Core Specifications 4.2 through 5.2. The experts discovered that attackers in a MITM position were able to use a crafted series of responses to determine each bit of the randomly generated Passkey selected by the pairing initiator in each round of the pairing procedure. Once the bits composing the Passkey were identified during the same pairing session an attack could complete the authenticated pairing process with the responder.

“After successful completion of the authentication procedure, the responder will be authenticated to the attacker rather than the initiator, permitting the attacker to act in the role of an encrypted and authenticated peer. The attacker does not succeed in pairing with the initiator by this method, preventing a fully transparent MITM attack on the pairing procedure between the initiator and responder.” reads the advisory published by the Bluetooth SIG.

“For this attack to be successful, an attacking device needs to be within wireless range of two vulnerable Bluetooth devices initiating pairing or bonding where a BR/EDR IO Capabilities exchange or LE IO Capability in the pairing request and response results in the selection of the Passkey pairing procedure.”

The Bluetooth Special Interest Group (SIG) published security notices about the flaws, below the full list of the issues:

VulnerabilityPublication DateDetailsSpecifications AffectedCVE [NVD]Bluetooth Mesh Profile AuthValue leak05/24/2021SIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26559Malleable commitment in Bluetooth Mesh Profile provisioning05/24/2021SIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26556Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITM05/24/2021SIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26557Impersonation attack in Bluetooth Mesh Profile provisioning05/24/2021SIG Security NoticeMesh Profile Spec, v1.0 to v1.0.1CVE-2020-26560Impersonation in the BR/EDR pin-pairing protocol05/24/2021SIG Security NoticeCore Spec, v1.0B to 5.2CVE-2020-26555Authentication of the Bluetooth LE legacy-pairing protocol05/24/2021SIG Security NoticeCore Spec, v4.0 to 5.2N/AImpersonation in the Passkey entry protocol05/24/2021SIG Security NoticeCore Spec, v2.1 to 5.2CVE-2020-26558The Carnegie Mellon CERT Coordination Center (CERT/CC) also published an advisory that includes the list of the impacted vendors, such as Cisco, Microchip, Red Hat, Intel, and Android.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, mobile)

The post French intel found flaws in Bluetooth Core and Mesh specs appeared first on Security Affairs.