{"id":18044,"date":"2023-11-30T18:28:43","date_gmt":"2023-11-30T18:28:43","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=18044"},"modified":"2023-12-28T22:05:18","modified_gmt":"2023-12-28T22:05:18","slug":"bluffs-bluetooth-vulnerability","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/bluffs-bluetooth-vulnerability\/","title":{"rendered":"BLUFFS Bluetooth Vulnerability Threatens Billions of Devices"},"content":{"rendered":"<p>Eurecom has uncovered a series of exploits named &#8220;BLUFFS&#8221;, posing a <strong>significant threat to the security of Bluetooth sessions<\/strong>. These attacks exploit two previously unknown flaws in the Bluetooth standard, impacting versions 4.2 through 5.4 and potentially putting billions of devices, <strong>including smartphones and laptops<\/strong>, at risk.<\/p>\n<h2>BLUFFS Exploits \u2013 How Do They Work?<\/h2>\n<p>BLUFFS (Bluetooth Low User eavesdropping of Frequency-hopping Sessions) is a <strong>sophisticated series of attacks<\/strong> designed to compromise the forward and future <a href=\"https:\/\/gridinsoft.com\/blogs\/new-bluetooth-attack\/\">secrecy of Bluetooth sessions<\/a>, compromising the confidentiality of communications between devices. The methodology involves <strong>exploiting flaws in the session key derivation process<\/strong>, forcing the generation of a weak and predictable session key (SKC). The attacker then brute-forces the key, allowing them to decrypt past communications and manipulate future ones.<\/p>\n<p>To execute BLUFFS, the <strong>attacker only needs to be within Bluetooth range<\/strong> of the targeted devices. Impersonating one device, the attacker negotiates a weak session key. Then, the other by proposing the <strong>lowest possible key entropy value<\/strong> and using a constant session key diversifier.<\/p>\n<figure id=\"attachment_18047\" aria-describedby=\"caption-attachment-18047\" style=\"width: 747px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Newly-discovered-vulnerabilities.png\" alt=\"Bluetooth vulnerabilities\" width=\"747\" height=\"362\" class=\"size-full wp-image-18047\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Newly-discovered-vulnerabilities.png 747w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Newly-discovered-vulnerabilities-300x145.png 300w\" sizes=\"auto, (max-width: 747px) 100vw, 747px\" \/><figcaption id=\"caption-attachment-18047\" class=\"wp-caption-text\">Bluetooth Forward and Future Secrecy Attacks and Defenses<\/figcaption><\/figure>\n<h2>Impact on Bluetooth Devices<\/h2>\n<p>Given the architectural nature of the flaws, <a href=\"https:\/\/github.com\/francozappa\/bluffs\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">BLUFFS impacts all the devices<\/a> running a whole lineup of Bluetooth protocol versions. The vulnerabilities affect Bluetooth Core Specification 4.2 through 5.4, potentially exposing a vast number of devices to the exploits. The impact has been <strong>confirmed through tests on smartphones, earphones, and laptops<\/strong> running Bluetooth versions 4.1 through 5.2.<\/p>\n<div class=\"su-spoiler su-spoiler-style-default su-spoiler-icon-plus su-spoiler-closed\" data-scroll-offset=\"0\" data-anchor-in-url=\"no\"><div class=\"su-spoiler-title\" tabindex=\"0\" role=\"button\"><span class=\"su-spoiler-icon\"><\/span>List of vulnerable chips\/devices<\/div><div class=\"su-spoiler-content su-u-clearfix su-u-trim\">\n<div class=\"su-table su-table-alternate\">\n<table>\n<thead>\n<tr>\n<td><strong>Chip<\/strong><\/td>\n<td><strong>Device(s)<\/strong><\/td>\n<td><strong>BTv<\/strong><\/td>\n<td><strong>A1<\/strong><\/td>\n<td><strong>A2<\/strong><\/td>\n<td>\n<strong>A3<\/strong><\/td>\n<td><strong>A4<\/strong><\/td>\n<td><strong>A5<\/strong><\/td>\n<td><strong>A6<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td colspan=\"9\"><em>LSC Victims<\/em><\/td>\n<\/tr>\n<tr>\n<td><strong>Bestechnic BES2300<\/strong><\/td>\n<td>Pixel Buds A-Series<\/td>\n<td>5.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td><strong>Apple H1<\/strong><\/td>\n<td>AirPods Pro<\/td>\n<td>5.0<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td><strong>Cypress CYW20721<\/strong><\/td>\n<td>Jaybird Vista<\/td>\n<td>5.0<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td><strong>CSR\/Qualcomm BC57H687C-GITM-E4<\/strong><\/td>\n<td>Bose SoundLink<\/td>\n<td>4.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td><strong>Intel Wireless 7265 (rev 59)<\/strong><\/td>\n<td>Thinkpad X1 3rd gen<\/td>\n<td>4.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td><strong>CSR n\/a<\/strong><\/td>\n<td>Logitech BOOM 3<\/td>\n<td>4.2<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td colspan=\"9\"><em>SC Vietims<\/em><\/td>\n<\/tr>\n<tr>\n<td><strong>Infineon CYW20819<\/strong><\/td>\n<td>CYW920819EVB-02<\/td>\n<td>5.0<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td><strong>Cypress CYW40707<\/strong><\/td>\n<td>Logitech MEGABLAST<\/td>\n<td>4.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<\/tr>\n<tr>\n<td><strong>Qualcomm Snapdragon 865<\/strong><\/td>\n<td>Mi 10T<\/td>\n<td>5.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Apple\/USI 339S00761<\/strong><\/td>\n<td>iPhones 12, 13<\/td>\n<td>5.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Intel AX201<\/strong><\/td>\n<td>Portege X30-C<\/td>\n<td>5.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Broadcom BCM4389<\/strong><\/td>\n<td>Pixel 6<\/td>\n<td>5.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Intel 9460\/9560<\/strong><\/td>\n<td>Latitude 5400<\/td>\n<td>5.0<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Qualcomm Snapdragon 835<\/strong><\/td>\n<td>Pixel 2<\/td>\n<td>5.0<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Murata 339S00199<\/strong><\/td>\n<td>iPhone 7<\/td>\n<td>4.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Qualcomm Snapdragon 821<\/strong><\/td>\n<td>Pixel XL<\/td>\n<td>4.2<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<tr>\n<td><strong>Qualcomm Snapdragon 410<\/strong><\/td>\n<td>Galaxy J5<\/td>\n<td>4.1<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\u2713<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<td>\ud800\udd02<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"su-spacer\" style=\"height:10px\"><\/div>\n<\/div><\/div>\n<p>Bluetooth SIG, the organization overseeing Bluetooth standard development, has received Eurecom&#8217;s report. <strong>They recommend implementations to reject connections<\/strong> with low key strengths, <strong>utilize &#8220;Security Mode 4 Level 4&#8221; for higher encryption strength<\/strong>, and operate in &#8220;Secure Connections Only&#8221; mode during pairing.<\/p>\n<h2>Mitigation Measures<\/h2>\n<p>Researchers propose backward-compatible modifications to enhance session key derivation and <strong>mitigate BLUFFS and similar threats<\/strong>. Recommendations, however, offer only the protocol fixes, i.e. they are not about to be done by users. Sadly, but at the moment, <strong>there is not much you can do<\/strong> to secure the BT connection.<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env02.webp\" alt=\"BLUFFS Bluetooth Vulnerability Threatens Billions of Devices\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Eurecom has uncovered a series of exploits named &#8220;BLUFFS&#8221;, posing a significant threat to the security of Bluetooth sessions. These attacks exploit two previously unknown flaws in the Bluetooth standard, impacting versions 4.2 through 5.4 and potentially putting billions of devices, including smartphones and laptops, at risk. BLUFFS Exploits \u2013 How Do They Work? BLUFFS [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":18048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[211,619,315,374],"class_list":{"0":"post-18044","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-bluetooth","9":"tag-cybersecurity","10":"tag-exploit","11":"tag-vulnerability"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/GS_Blog_banner_BLUFFS-Threatens-Billions-of-Bluetooth-Devices_1280x674-1.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/18044","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=18044"}],"version-history":[{"count":28,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/18044\/revisions"}],"predecessor-version":[{"id":18583,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/18044\/revisions\/18583"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/18048"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=18044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=18044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=18044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}