Introduction

The Fixed Coordinate Invalid Curve Attack is a new attack, which could be applied to all current Bluetooth pairing protocols.

The pairing protocol is the process of connection establishment in Bluetooth. This process supplies the ground for all of the security and privacy features provided by Bluetooth. Failing to secure this process compromises the entire Bluetooth session.

Our new attack provides a new technique for attacking the Bluetooth pairing protocol by manipulating specific messages, without being detected by the victim devices. Our attack relies on a newly discovered protocol design flaws.

Using our attack, one can exploit this vulnerability in order to reveal the encryption key of the victim devices and use it in order to decrypt and forge data without user awareness.

Academic paper

  • The paper is here.
  • The technion's press release is here (and here in Hebrew).

Disclosure and Vendors' Information

  • CVE-2018-5383 was assigned to the vulnerability in the Bluetooth protocol.
  • Cert/CC's publication is here. Notice that they list Microsoft as "not affected" because Microsoft implements an old version of the standard, which is even less secure, rather than the broken contemporary standard. Microsoft had recenly added Bluetooth 5.0 support to their Windows 10 implemetation (skipping 4.2), which may have been implemeted securely.
  • Bluetooth SIG security update is here. It is odd to read that "It is possible that some vendors may have developed Bluetooth products that support those features but do not perform public key validation" - the standard did not require it at all, thus the standard itself was the problem - not the vendors.
  • Google's patch was included in their June 2018 update. See their June 2018 bulletin here.
  • Intel's publication is here.
  • Apple's publication for MacOS is here and here.
  • Apple's publication for iOS is here.
  • Lenovo information is here.
  • Samsung information is here.
  • LG's reference is here.
  • Huawei's reference is here.
  • Dell's fix is here.

In the News

We are already in the news. For example:

Questions & Answers

Am I affected by the vulnerability?

It is very likely that you are either affected or vulnerable to older attacks.

Do both devices have to be vulnerable?

Yes, the attack exploits the vulnerability on both participating devices simultaneously. If any one of them is patched, the attack will not work any more.

What are the implications of the attack?

Every Bluetooth pairing performed by vulnerable devices (vast majority of the market) at the presence of the attacker could be compromised. An attacker could then eavesdrop all victims' communications, and even send forged requests for information. For example, an attacker can ask a phone for the contacts list, read or send SMSes, dial and talk on a compromized connection, and listen in to all Bluetooth conversations.

What is the difference between Bluetooth and Bluetooth Low Energy (aka. Bluetooth Smart)?

Bluetooth Low Energy first introduced in 2010 is intended for use by IoT and low power devices. The original Bluetooth is still widely used by audio peripherals. Although they are different in many aspects, Bluetooth Low Energy is largely inspired by the original Bluetooth. These differences do not affect our attack.

What happens if the attack fails?

On failure the participating devices cancel the pairing procedure, and might notify the user of authentication failure. The user may try again immediately afterwards. Therefore, on success of pairing, the attack had certainly been succeeded.

Can I detect if someone is attacking me?

On success the attack is undetectable by the user. When it fails the user may be notified of authentication failure, yet this behavior is implementation dependent. In any case current devices cannot distinguish between our attack and a normal authentication failure.

Has this attack been applied in the wild?

We are not familiar with any such incident.

What information could be compromised?

Today Bluetooth may carry a large variety of sensitive information:

  • Bluetooth headsets may receive and transmit audio, such as phone conversations, music, podcasts, etc.
  • Mobile phones may transmit health information, SMS content, contacts lists, and emails to nearby wearables.
  • Wireless keyboards transmit keystrokes which may contain sensitive information (including passwords).
  • IoT devices transmit various kinds of sensitive information, e.g., smart-locks transmit digital key in order to open.

Which platforms are affected by this attack?

As far as we know every Bluetooth chip manufactured by Intel, Broadcom or Qualcomm is affected. Therefore, almost any device, including smartphones and headsets of all types, are affected. In addition, the Android Bluetooth stack (Bluedroid) is affected when using Bluetooth smart. Apple had provided patches for both MacOS and iOS. The Windows Bluetooth smart stack did not implement the lastest Bluetooth smart protocol and is therefore still vulnerable to older and simpler attacks.

What is the Invalid Curve Attack?

In order to exchange secret information over a public channel Bluetooth uses a mathematical structure called elliptic-curve. Due to insufficient validation an attacker could send an "invalid" point, which does not satisfy the mathematical properties of the elliptic-curve. By leveraging this phenomenon the attacker can compromise the secrets exchanged by the victim.

What is the recommended mitigation for platform developers?

The recommended and the most straight-forward mitigation is to validate that a given point satisfies the the elliptic-curve equation.

What is the recommended mitigation for users?

For users we can only recommend to verify that at least one of the paired devices has the patched version applied. Just make sure your smartphone is updated with the latest patches. Check with your vendor that both the chip and the operating system are patched (as the chip update fixes traditional Bluetooth connections, while the operating system update fixes Bluetooth LE connections).

How did you discover the problem?

We discovered the problem mainly by exhaustively reading the Bluetooth core specification. After considering the attack we used a programmable Bluetooth dongle in order to test devices for the vulnerability.

Who are you?

The researchers are part of a research team in the Technion in Israel which specializes in security and cryptography. Prof. Eli Biham is an expert in cryptanalysis and cyber security, and has a record of discovering vulnerabilities in widely used ciphers and communication systems (such as GSM cellular phones and car remote controls). He is a professor at the computer science department and serves as the head of the Technion's Hiroshi Fujiwara cyber security research center. Lior Neumann is a graduate student at the Technion, in the computer science department, and specializes in Bluetooth security.

Acknowledgments

We would like to thank the CERT Coordination Center for the great help in coordinating between all of the many affected vendors. We would also like to acknowledge the Bluetooth SIG, Intel, Qualcomm, Broadcom and Google for discussing and addressing the vulnerability.