Czy Bluetooth nigdy już nie będzie bezpieczny? BLUFFS #37c3

Mateusz Chrobok

28 Jan 202419:14

Summary

TLDRThe video discusses security vulnerabilities in Bluetooth connections that allow eavesdropping and decryption. Researchers found flaws in how keys are generated during pairing and connections. By forcing weaker encryption and small key sizes, attackers can brute force decrypt messages and siphon future communications. While not all devices are vulnerable, billions could be affected. Protocols must be redesigned for a proper fix, so use wired connections when security is paramount.

Takeaways

😲 Bluetooth has major vulnerabilities that allow eavesdropping on connections
😡 The Bluetooth protocol itself is fundamentally flawed
🔐 Encryption keys can be brute forced due to low entropy
👂 Attacker can force weaker legacy encryption mode
📡 Man-in-the-middle attacks are possible between paired devices
😱 Encryption provides no forward or future secrecy
🚘 Can unlock car doors by emulating trusted phone
📝 Can capture keyboard input including passwords
🙉 Google refused to fix exploit in their Pixel Buds
⚠️ All devices and OS versions are affected to some degree

Q & A

What security issues were discovered in Bluetooth connections?
-It was discovered that Bluetooth connections are vulnerable to man-in-the-middle attacks that can force devices to use weak encryption keys, allowing an attacker to decrypt communications.
How does Bluetooth establish secure connections between devices?
-Bluetooth uses pairing keys to establish an initial secure connection between devices. It then establishes temporary session keys each time the paired devices reconnect to communicate.
What is Legacy Secure Connection mode in Bluetooth?
-Legacy Secure Connection is an outdated, less secure mode of establishing Bluetooth connections. It uses weaker encryption keys compared to the newer Secure Connection mode.
How can an attacker exploit Bluetooth to decrypt communications?
-An attacker can intercept the connection during session key generation and force devices to use Legacy mode and weak entropy, allowing them to brute force crack encryption keys and decrypt messages.
What makes Bluetooth encryption vulnerable to cracking?
-Bluetooth does not properly implement Forward Secrecy and Future Secrecy protections. Session keys are generated using previous keys, so cracking one key can expose future communications.
How can car keyless entry systems be exploited via Bluetooth?
-An attacker can initiate their own Bluetooth connection to a car and force weak encryption keys, allowing them to mimic a trusted phone key fob and unlock the car.
What fixes or mitigations exist for the Bluetooth issues?
-Proposed fixes require changes to the Bluetooth protocol itself. Software workarounds exist but are imperfect. Using device encryption and TLS helps mitigate the risks.
Does this affect Bluetooth Low Energy devices?
-No, this research focused on vulnerabilities in the classic Bluetooth protocol, not the newer Bluetooth Low Energy standard used in many IoT devices.
Are all Bluetooth devices vulnerable to these kinds of attacks?
-In theory yes, but some devices implement non-standard connections that are not fully compliant with the Bluetooth specification, making them less susceptible.
How can users protect themselves against Bluetooth exploits?
-Avoid using Bluetooth for transmitting sensitive information when possible. Use wired connections for critical applications that require confidentiality.