[Warning] New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

[TheBeardedBaby]

One fresh warning. This is why I don't have any crypto on my phone. Stay safe and protect your crypto!

Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers.

The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concerns Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.

"The Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment," the researchers outlined in the paper. "Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade."

Given the widespread impact of the vulnerability, the researchers said they responsibly disclosed the findings to the Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards in December 2019.

With most standard-compliant Bluetooth devices impacted by the vulnerability, the researchers said they tested the attack against as many as 30 devices, including smartphones, tablets, laptops, headphones, and single-board computers such as Raspberry Pi. All the devices were found to be vulnerable to BIAS attacks.

The Bluetooth SIG said it's updating the Bluetooth Core Specification to "avoid a downgrade of secure connections to legacy encryption," which lets the attacker initiate "a master-slave role switch to place itself into the master role and become the authentication initiator."

In addition to urging companies to apply the necessary patches, the organization is recommending Bluetooth users to install the latest updates from the device and operating system manufacturers.

"The BIAS attacks are the first uncovering issues related to Bluetooth's secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades," the research team concluded. "The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction."

Source

[1714895390]

1714895390

[1714895390]

1714895390

[1714895390]

1714895390

[bitmover]

One fresh warning. This is why I don't have any crypto on my phone. Stay safe and protect your crypto!

I think this vulnerability doesn't allow the attacker to spend crypto from a cryptio wallet. Does it?

MObile crypto wallets usually need a password to get unlocked and to insert the password again to spend it.

Personally, I love to have a few bucks of cryptocurrency in my mobile. The same amount as I would keep in my physical cash wallet (which is very risky also, because you can just let a few coins drop on the floor for example, but that's worth the risk).

Keeping btc in your smartphone is good for adoption

And if you are very paranoid, just turn off bluetooth when not using it (i do that to save battery)

[Lucius]

I personally use BT very rarely, and mostly in a home environment between known devices. I don't remember the last time I used it to send something to someone else, because there are much quicker and easier ways to share photos or videos nowadays. However, I can agree that a smartphone is not a place to store large quantities of crypto, unless it is cold storage.

There have already been a number of vulnerabilities regarding BT (BlueFrag) which is patched just few months ago, or Bluebourne from 2017. A simple protection is not to keep BT on, at least not in a public place until a patch appears.

It is much more important for all Android users to be able to receive patches for their smartphone every month. I got a 500 MB + patch a week ago, and most of the vulnerability is marked as high or critical.

[slackovic]

I don't think that these kind of attacks are that dangerous. An attacker still needs your password to unlock the wallet. More dangerous are WiFi attacks when you are working on your laptop in a hotel room. And you can't turn off your laptop's WiFi if you are working like you can turn off Bluetooth. The bottom line is, all wallets (on laptop, on mobile phone, and even on a hardware wallet) must have a strong password in order to unlock it. Just because you have password on your Windows account it doesn't mean that you can put some simple password (like 12345678) on a crypto wallet.

I personally use BT very rarely, and mostly in a home environment between known devices. I don't remember the last time I used it to send something to someone else, because there are much quicker and easier ways to share photos or videos nowadays. However, I can agree that a smartphone is not a place to store large quantities of crypto, unless it is cold storage.

The problem is when you own a smartwatch. You have to use a Bluetooth to connect it to your mobile phone. Bluetooth is not just for sending and receiving photos and music anymore.

[20kevin20]

There have already been a number of vulnerabilities regarding BT (BlueFrag) which is patched just few months ago, or Bluebourne from 2017. A simple protection is not to keep BT on, at least not in a public place until a patch appears.

There are some COVID-19 contact tracing apps out there using Bluetooth for the tracing so if they become mandatory, the only real protection might be leaving your phone at home when you go outside.

Lots of people use it for wireless headphones too, so although it's a quite old technology, it's still useful if you have some smart devices (smartband for Merit notifications? ). I have a pair of wireless headphones myself but I never have anything crypto-related on the phone I always carry with me.

I find it more convenient to have an older smartphone at home loaded with these apps and wallets than having them on the phone I always take outside with me.

[AakZaki]

I rarely even and never turn on Bluetooth on my cellphone. But this needs to be a reminder of the vulnerability that Bluetooth has that can crack crypto on my cellphone.

but the crypto wallet has an encryption password which is usually protected by 2FA security and is difficult to penetrate. But when a smartphone is hacked everything can be manipulated by hackers.

Maybe with this thread there is giving feedback to Bluetooth developers to immediately fix existing bugs to be more secure from hacking.

[MrcMrc]

I have never heard about this kind of attack before but if to think of it very well, bluetooth can vmbe use to connect like WiFi, so far WiFi can be insecure or compromised, bluetooth could too. We need to make sure we protect our devices that have our wallets. As for me, I will not even use the bluetooth on it to connect.

[ShowOff]

Around the year 2015-2017 I saw a friend move some files on my android from his android without touching my android with just a bluetooth connection. I dont know if he uses another application to do it and of course I have forgotten too much, its just that this process requires my agreement to pair with his Bluetooth.

This thread reminds me of that time. But this vulnerability will only occur if Bluetooth is active and when someone successfully paired it with the device. However, turning off Bluetooth is a barrier, but the internet has always been the best choice for hackers to make crypto user wallets empty.

but the crypto wallet has an encryption password which is usually protected by 2FA security and is difficult to penetrate. But when a smartphone is hacked everything can be manipulated by hackers.

What if the hacker can reach the application and find the password hint in the crypto wallet? I am sure all value of the wallet will be lost.

[Harlot]

I personally use BT very rarely, and mostly in a home environment between known devices. I don't remember the last time I used it to send something to someone else, because there are much quicker and easier ways to share photos or videos nowadays. However, I can agree that a smartphone is not a place to store large quantities of crypto, unless it is cold storage.

I was thinking about this as well that I barely turn on my phone's bluetooth but I just realized that my earphones automatically turns on my phone's Bluetooth when it is in close proximity, the downside is even if I am finish using my headphones it won't turn off my phone's Bluetooth so there is really a danger here with these vulnerability. Not until this is solve with my phone's security patches I think I will always now keep an eye on my current connections to see if my Bluetooth is open even if not needed.

[TheBeardedBaby]

One fresh warning. This is why I don't have any crypto on my phone. Stay safe and protect your crypto!

I think this vulnerability doesn't allow the attacker to spend crypto from a cryptio wallet. Does it?

Imagine that Bob send picture to Alice, then Charley can simply replace the picture infected with simple keylogger, then her crypto password is also gone. Actually, Charley can send whatever he wants, pretending he is Bob and get a full control over Alice device.

Bluetooth secure connection establishment does not require user interaction

He can send you everything you can imagine, so I quite think this is crypto related.

Just be careful when your blutooth speaker decides to share a file with you

Imagine sitting in a traffic jam and you listen to Spotify on your car, it can happen also waiting for the traffic light, smart bands/ watches everything can be compromised.

[Lucius]

The problem is when you own a smartwatch. You have to use a Bluetooth to connect it to your mobile phone. Bluetooth is not just for sending and receiving photos and music anymore.

There are some COVID-19 contact tracing apps out there...
Lots of people use it for wireless headphones too, so although it's a quite old technology, it's still useful if you have some smart devices (smartband for Merit notifications? ).

I totally forgot the existence of wireless headsets and smartwatches which connect to other devices via Bluetooth, because I personally don’t use any of that. And we also all forgot that Ledger Nano X has the possibility of wireless connection via BT, so there are very likely potential dangers in the form of a possible infection of the smartphone with some crypto malware. Until a patch appears for this security flaw, we should definitely be very careful with BT in public places.

However, as this security breach was reported in December 2019, those who discovered this attack vector say that the devices that received the update after that may already have the appropriate fix.

After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.

[Saint-loup]

I personally use BT very rarely, and mostly in a home environment between known devices. I don't remember the last time I used it to send something to someone else, because there are much quicker and easier ways to share photos or videos nowadays. However, I can agree that a smartphone is not a place to store large quantities of crypto, unless it is cold storage.

I was thinking about this as well that I barely turn on my phone's bluetooth but I just realized that my earphones automatically turns on my phone's Bluetooth when it is in close proximity, the downside is even if I am finish using my headphones it won't turn off my phone's Bluetooth so there is really a danger here with these vulnerability. Not until this is solve with my phone's security patches I think I will always now keep an eye on my current connections to see if my Bluetooth is open even if not needed.

Don't forget to disable the unknown sources installation option.
This is an additional quite good protection.