Security News > 2021 > May > New Bluetooth Flaws Let Attackers Impersonate Legitimate Devices

Adversaries could exploit newly discovered security weaknesses in Bluetooth Core and Mesh Profile Specifications to masquerade as legitimate devices and carry out man-in-the-middle attacks.

"Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing," the Carnegie Mellon CERT Coordination Center said in an advisory published Monday.

The two Bluetooth specifications define the standard that allows for many-to-many communication over the short-range wireless technology to facilitate data transfer between devices in an ad-hoc network.

"To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.".

"Our attacks work even when the victims are using Bluetooth's strongest security modes, e.g., SSP and Secure Connections. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device," the researchers said.

The Bluetooth Special Interest Group, the organization that oversees the development of Bluetooth standards, has also issued security notices for each of the six flaws.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/jN8q-6A-F8A/new-bluetooth-flaws-let-attackers.html