Bluetooth technology, while convenient, has several vulnerabilities that can expose users to security risks.
Due to such flaws, security experts always advise users to keep Bluetooth turned off when not in use and regularly update their devices to mitigate these risks.
Recently, Supplementary Bluetooth SIG unveiled a new Bluetooth vulnerability that enables MITM attackers to find the passkey while pairing.
This new vulnerability has been tracked as “CVE-2020-26558,” ‘Impersonation in the Passkey Entry Protocol.’
Technical analysis
This flaw affects Bluetooth devices that use the ‘Passkey Entry’ association model across multiple specifications.
While it includes “BR/EDR Secure Simple Pairing” (versions 2.1-5.4), “BR/EDR Secure Connections Pairing” (versions 4.1-5.4), and “LE Secure Connections Pairing” (versions 4.2-5.4).
The vulnerability arises when a device accepts a “public key” from a ‘remote peer’ that shares the same ‘X’ coordinate as its own public key.
Specifically where the keys have identical absolute ‘X’ and ‘Y’ coordinates but opposite ‘Y’ coordinate signs.
In such cases, a malicious actor can perform a “man-in-the-middle” (‘MITM’) attack between an “Initiating device” and a “Responding device” during the ‘pairing process.’
The attacker can intercept the communication and through carefully crafted responses it successfully determines the Passkey being used in the pairing session.
This allows the attacker to complete an authenticated pairing procedure with both the “Initiating” and “Responding” devices.
As a result, it effectively compromises the secure connection establishment process with a “slight modification” to accommodate the modified “peer public key value.”
For a successful Bluetooth security attack to occur, the attacker’s device must be within wireless range of two vulnerable Bluetooth devices that are attempting to establish a connection through pairing processes.
According to Bluetooth Core Specification 5.4, the devices are strongly recommended to terminate any pairing procedure if they detect that the public key “X” coordinate presented by a peer device matches their own local device’s coordinate, with the only exception being when a debug key is actively in use.
This security measure was later strengthened in Bluetooth Core Specification 6.0, where this verification check became mandatory rather than just recommended.
For enhanced security, all implementations using “BR/EDR Secure Simple Pairing,” “BR/EDR Secure Connections pairing,” and “LE Secure Connections pairing” in Bluetooth Core Specifications 5.4 and earlier versions should strictly stick to these latest security recommendations regarding the acceptance of public keys during the pairing process.