Repository logo

Infoscience

  • English
  • French
Log In
Logo EPFL, École polytechnique fédérale de Lausanne

Infoscience

  • English
  • French
Log In
  1. Home
  2. Academic and Research Output
  3. Conferences, Workshops, Symposiums, and Seminars
  4. BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy
 
Loading...
Thumbnail Image
conference paper

BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy

Antonioli, Daniele  
•
Tippenhauer, Nils Ole
•
Rasmussen, Kasper
Show more
January 1, 2022
Asia Ccs'22: Proceedings Of The 2022 Acm Asia Conference On Computer And Communications Security
17th ACM ASIA Conference on Computer and Communications Security 2022 (ACM ASIACCS)

Bluetooth is a pervasive wireless technology specified in an open standard. The standard defines Bluetooth Classic (BT) for high-throughput wireless services and Bluetooth Low Energy (BLE) very low-power ones. The standard also specifies security mechanisms, such as pairing, session establishment, and cross-transport key derivation (CTKD). CTKD enables devices to establish BT and BLE security keys by pairing just once. CTKD was introduced in 2014 with Bluetooth 4.2 to improve usability. However, the security implications of CTKD were not studied carefully.

This work demonstrates that CTKD is a valuable and novel Bluetooth attack surface. It enables, among others, to exploit BT and BLE just by targeting one of the two (i.e., Bluetooth cross-transport exploitation). We present the design of the first cross-transport attacks on Bluetooth. Our attacks exploit issues that we identified in the specification of CTKD. For example, we find that CTKD enables an adversary to overwrite pairing keys across transports. We leverage these vulnerabilities to impersonate, machine-in-the-middle, and establish unintended sessions with any Bluetooth device supporting CTKD. Since the presented attacks blur the security boundary between BT and BLE, we name them BLUR attacks. We provide a low-cost implementation of the attacks and test it on a broad set of devices. In particular, we successfully attack 16 devices with 14 unique Bluetooth chips from popular vendors (e.g., Cypress, Intel, Qualcomm, CSR, Google, and Samsung), with Bluetooth standard versions of up to 5.2. We discuss why the countermeasures in the Bluetooth are not effective against our attacks, and we develop and evaluate practical and effective alternatives.

  • Details
  • Metrics
Type
conference paper
DOI
10.1145/3488932.3523258
Web of Science ID

WOS:000937026200016

Author(s)
Antonioli, Daniele  
•
Tippenhauer, Nils Ole
•
Rasmussen, Kasper
•
Payer, Mathias  
Date Issued

2022-01-01

Publisher

ASSOC COMPUTING MACHINERY

Publisher place

New York

Journal
Asia Ccs'22: Proceedings Of The 2022 Acm Asia Conference On Computer And Communications Security
ISBN of the book

978-1-4503-9140-5

Start page

196

End page

207

Subjects

Computer Science, Information Systems

•

Computer Science, Theory & Methods

•

Mathematics, Applied

•

Telecommunications

•

Computer Science

•

Mathematics

•

ctkd

•

bluetooth

•

bluetooth classic

•

bluetooth low energy

•

the-middle attacks

Peer reviewed

REVIEWED

Written at

EPFL

EPFL units
HEXHIVE  
Event nameEvent placeEvent date
17th ACM ASIA Conference on Computer and Communications Security 2022 (ACM ASIACCS)

Nagasaki, JAPAN

May 30-Jun 03, 2022

Available on Infoscience
March 27, 2023
Use this identifier to reference this record
https://infoscience.epfl.ch/handle/20.500.14299/196507
Logo EPFL, École polytechnique fédérale de Lausanne
  • Contact
  • infoscience@epfl.ch

  • Follow us on Facebook
  • Follow us on Instagram
  • Follow us on LinkedIn
  • Follow us on X
  • Follow us on Youtube
AccessibilityLegal noticePrivacy policyCookie settingsEnd User AgreementGet helpFeedback

Infoscience is a service managed and provided by the Library and IT Services of EPFL. © EPFL, tous droits réservés