New Bluetooth vulnerability named BIAS affects laptops, smartphones and IoT devices

Researchers at the Swiss Federal Institute of Technology Lausanne (EPFL) discovered a security vulnerability in the authentication mechanism of Bluetooth devices that can lead to impersonation attacks and allow an attacker to gain full access to any paired device such as laptop, smartphone and/or an IOT device.

Researchers named this vulnerability as BIAS (Bluetooth Impersonation AttackS) that impacts the Bluetooth communication protocol called Bluetooth BR/EDR (also known as Bluetooth Classic).

The Bluetooth Classic protocol is commonly used to establish communication between low power devices to transfer data, e.g., between a wireless headset and a phone, or between two laptops.

The BIAS security vulnerability resides in the post-authentication process of a paired device.

When a device is paired with an another one, it establishes an encrypted connection using a link key (also known as a long-term key) which is later used for connecting both the devices without performing any repeated pairing authentication procedures by the device user (post-authentication).

“We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices),” said researchers.

Researchers tested different device models including laptops (Lenovo, MacBook, HP), smartphones (iPhone, Nokia, Google Pixel, Samsung, LG, Motorola), tablets (iPad), headphones (Sennheiser, Philips), and System-on-chip platforms (Raspberry Pi, Cypress).

“At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung, and CSR. All devices that we tested were vulnerable to the BIAS attack.”

“Because this attack affects basically all devices that ‘speak Bluetooth,’ we performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth SIG) – the standards organisation that oversees the development of Bluetooth standards – in December 2019 to ensure that workarounds could be put in place,” the research team said.

Bluetooth SIG acknowledges the security vulnerability

Following the BIAS attack disclosure by the researchers, In a press release, the Bluetooth SIG acknowledged this vulnerability and said that they are updating the Bluetooth Core Specification to prevent against any BIAS attack attempts by the hackers exploiting this vulnerability in Bluetooth authentication mechanism in future.

“The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers,” Bluetooth SIG further added.

Researchers warned the attackers could also combine this BIAS attack with the previously discovered KNOB attack to impersonate a Bluetooth device to send and receive sensitive files, impersonate an unlocker to unlock a device, and more.