Bluetooth SIG Statement Regarding the Regarding the ‘Impersonation in the Passkey Entry Protocol’ Vulnerability
Researchers at the Agence nationale de la sécurité des systèmes d’information (ANSSI) have identified a vulnerability related to Passkey authentication in BR/EDR Secure Simple Pairing in Bluetooth® Core Specifications 2.1 through 5.2, BR/EDR Secure Connections Pairing in Bluetooth Core Specifications 4.1 through 5.2 and LE Secure Connections Pairing in Bluetooth Core Specifications 4.2 through 5.2. The researchers identified that it was possible for an attacker acting as a MITM in the Passkey authentication procedure to use a crafted series of responses to determine each bit of the randomly generated Passkey selected by the pairing initiator in each round of the pairing procedure, and once identified, to use these Passkey bits during the same pairing session to successfully complete the authenticated pairing procedure with the responder.
After successful completion of the authentication procedure, the responder will be authenticated to the attacker rather than the initiator, permitting the attacker to act in the role of an encrypted and authenticated peer. The attacker does not succeed in pairing with the initiator by this method, preventing a fully transparent MITM attack on the pairing procedure between the initiator and responder.
For this attack to be successful, an attacking device needs to be within wireless range of two vulnerable Bluetooth devices initiating pairing or bonding where a BR/EDR IO Capabilities exchange or LE IO Capability in the pairing request and response results in the selection of the Passkey pairing procedure.
The Bluetooth SIG is recommending that potentially vulnerable implementations restrict the public keys accepted from a remote peer device to disallow a remote peer to present the same public key chosen by the local device.
The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.
For more information, please refer to the statement from the CERT Coordination Center.