Daniele Antonioli, a Bluetooth security researcher known for developing the Bias attacks, Blur and Knob, has recently unveiled two new vulnerabilities in the Bluetooth session coordination mechanism. These vulnerabilities, identified as cve-2023-24023, affect secure connections and simple pairing in Bluetooth core specifications. Antonioli has developed six attack methods to demonstrate the practical application of these vulnerabilities, allowing unauthorized access to previously paired Bluetooth devices. The code for these attacks and utilities to verify vulnerability presence have been published on GitHub [source].
The vulnerabilities were discovered during an analysis of the direct secrecy mechanisms described in the standard, specifically Forward and Future Secrecy. These mechanisms are designed to prevent compromise of session keys and the reuse of keys between different sessions. However, the identified vulnerabilities bypass these protections, enabling the reuse of unreliable session keys in multiple sessions. These vulnerabilities are not specific to individual Bluetooth devices but are inherent in the basic standard and exist across chips from various manufacturers.
The attack methods Antonioli proposed target both Legacy Secure Connections (LSC) and Secure Connections (SC), which are based on outdated and modern cryptographic primitives, respectively. These methods also include Man-in-the-Middle (MITM) attacks for LSC and SC modes. The researcher believes that all Bluetooth implementations adhering to the standard are susceptible to one or more of these Bluffs attacks. Antonioli’s work has successfully demonstrated these methods on 18 devices from companies like Intel, Broadcom, Apple, Google, Microsoft, CSR, Logitech, Infineon, Bose, Dell, and Xiaomi.