BLUFFS: new Bluetooth vulnerability discovered that affects most devices
BLUFFS is an acronym for a new Bluetooth vulnerability that security researcher Daniele Antonioli disclosed recently. BLUFFS, which stands for Bluetooth Forward and Future Secrecy, is actually a set of six unique vulnerabilities. These vulnerabilities affect the majority of Bluetooth devices, as Bluetooth 4.2 to 5.4 implementations are affected.
Good news for most users is that it requires a specific setup for exploitation. Without going into too many details, for the attack to succeed, it is necessary that two vulnerable Bluetooth devices are in range of the attacker's device. Successful exploitation may lead to man-in-the-middle attacks and successful brute forcing of the encryption key.
A research paper, presentation and a toolkit are available on the researchers website. The attack was tested against 18 different Bluetooth chips and devices. Devices included several Apple iPhones, Google Pixel devices, laptops, Airpods and other devices that support Bluetooth.
Not all devices appear to be vulnerable to all of the six vulnerabilities, but all are affected by at least three of the six vulnerabilities.
The issue has been confirmed on the official Bluetooth website. It is listed under CVE-2023-24023. The article includes suggestions on fixing the issue. Manufacturers are advised to set the minimum encryption key length for encrypted sessions to 7 octets. The main idea here is that this gives the attacker to low of a window to successfully brute force the key. This makes attacks less worthwhile for attackers, even though it is not a complete protection against attacks that exploit the vulnerabilities.
The site makes other suggestions: "Implementations are advised to reject service-level connections on an encrypted baseband link with key strengths below 7 octets. For implementations capable of always using Security Mode 4 Level 4, implementations should reject service-level connections on an encrypted baseband link with a key strength below 16 octets. Having both devices operating in Secure Connections Only Mode will also ensure sufficient key strength".
Some manufacturers, Microsoft for instance, have patched the issues already. Microsoft did so as part of the November 2023 update for the Windows operating system.
Some users may disable Bluetooth on their devices to protect them from potential attacks, but this is not practicable in many cases. Bluetooth is for instance commonly used to pair wireless earbuds or headphones with mobile devices.
Now You: do you use Bluetooth?
Bluetooth stinks anyway and has few applications such as low quality music and that is about it. If you are expecting to watch a video with an audio track with your fancy pants Bluetooth headphones/earphones then you can forget it because it will be out of sync and rubbish.
It has barely changed since it first came out. It could be up to version 100 and we will probably still have the same problems just with more vulnerabilities.
Sounds a lot like Google Chrome… except that it’s at version 120 already.