Bluetooth SIG Statement Regarding the "Pairing Mode Confusion in BLE Passkey Entry" Vulnerability
Researchers at the Agence nationale de la sécurité des systèmes d’information (ANSSI) have identified a security vulnerability related to Passkey authentication in LE Secure Connections pairing when pairing with a device supporting LE Legacy Passkey authentication. The researchers found that it is possible for an attacking device to successfully intercede as a man-in-the-middle (MITM) between two pairing devices provided the attacker is able to negotiate a LE Legacy Passkey pairing procedure with the pairing Initiator (which must support entry or display of a Passkey) and an LE Secure Connections Passkey pairing procedure with the pairing Responder (which must also support entry or display of the Passkey). At least one of the pairing devices must support Passkey entry (the other may support either entry or display of a Passkey). For the attacker to successfully intercede, the user must erroneously enter the Passkey displayed by either the LE Secure Connections device (Responder) or the LE legacy pairing device (Initiator) into its peer, or the user must enter the same Passkey into both pairing devices. This permits the attacker to identify the Passkey entered into the Initiator by a real-time brute force search and then use that Passkey to complete authenticated pairing with the Responder, thus permitting a MITM attack on the Secure Connections pairing procedure, even if operating in Secure Connections Only Mode.
For this attack to be successful, an attacking device needs to be within wireless range of two Bluetooth devices establishing an LE encrypted connection without existing shared credentials. At least one of the two devices must permit display of a Passkey and the other must support legacy LE pairing and allow for entry of the displayed Passkey.
The Bluetooth SIG recommends that implementations enforce Secure Connections Only Mode. If both devices involved in this attack are in Secure Connections Only Mode, the MITM will not be able to force LE Legacy Pairing with either device.
As a user must erroneously use the same Passkey on the device performing LE Secure Connections Passkey pairing as on the device performing LE Legacy Passkey pairing, it is recommended, where possible, that devices supporting and using LE Legacy pairing clearly indicate that a legacy pairing mode is in use and devices supporting and using LE Secure-Connections pairing clearly indicate that Secure-Connections pairing mode is in use. Language in a UI or in documentation that clearly differentiates between these association models may help avoid a user erroneously treating one Passkey as the other.
The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.