The vulnerability exposes various devices and users who use bluetooth to transfer data.
The attack is named as Bluetooth Impersonation Attacks (BIAS), targets devices which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices. The vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.
For conducting the attack, the devices are required to be in a wireless connection range and must have a previously established BR/EDR connection with each other. The main sector is handling of long term or link key shared between the devices.
The link key ensures that users don’t have to pair their devices every time a data transfer occurs. The attacker then exploits the bug to request a connection to a vulnerable device by forging the other end’s Bluetooth address, and vice versa.
The attacker impersonates the identity and gains full access to another device without actually possessing the long term pairing key that was used to establish a connection. As reported by researchers the BIAS attack can be teamed up with various other attacks and can cost too much for the target.
NPAV recommends users to use proper patches released and always keep the software updated. The patches and updates have solution to the existing problems and vulnerabilities that are discovered by the organizations.
Use NPAV and join us on a mission to secure the cyber world.