DeepAI AI Chat
Log In Sign Up

BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy

by   Daniele Antonioli, et al.

The Bluetooth standard specifies two incompatible wireless transports: Bluetooth Classic (BT) for high-throughput services and Bluetooth Low Energy (BLE) for very low-power services. BT and BLE have different security architectures and threat models, but they use similar security mechanisms. In particular, pairing enables two devices to establish a long term key to secure the communication. Two devices have to pair over BT and BLE to use both transports securely. Since pairing the same devices two times is considered user-unfriendly, Bluetooth v4.2 introduced Cross-Transport Key Derivation (CTKD). CTKD allows two devices to pair once, either over BT or BLE, and generate both BT and BLE long term keys. Despite CTKD allowing traversal of the security boundary between BT and BLE, the security implications of CTKD have not yet been investigated. We present the first security analysis of CTKD and identify five cross-transport issues for BT and BLE. These issues enable, for the first time, exploitation of both BT and BLE by attacking either transport. Based on the identified issues, we demonstrate four novel cross-transport attacks resulting in device impersonation, traffic manipulation, and malicious session establishment. We refer to them as BLUR attacks, as they blur the security boundary between BT and BLE. The BLUR attacks are standard-compliant and therefore apply to all devices supporting CTKD, regardless of implementation details. We successfully demonstrate the BLUR attacks on 13 devices with 10 unique Bluetooth chips, and discuss effective countermeasures. We disclosed our findings and countermeasures to the Bluetooth SIG in May 2020.


page 1

page 2

page 3

page 4


Peripheral-free Device Pairing by Randomly Switching Power

The popularity of Internet-of-Things (IoT) comes with security concerns....

The Status of Quantum-Based Long-Term Secure Communication over the Internet

Sensitive digital data, such as health information or governmental archi...

Security Analysis and Design for TAGA: a Touch and Go Assistant in the Aerospace Domain

There is currently a drive in the aerospace domain to introduce machine ...

A Low-Power Dual-Factor Authentication Unit for Secure Implantable Devices

This paper presents a dual-factor authentication protocol and its low-po...

e-SAFE: Secure, Efficient and Forensics-Enabled Access to Implantable Medical Devices

To facilitate monitoring and management, modern Implantable Medical Devi...

Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)

Attacks targeting network infrastructure devices pose a threat to the se...

DEMO: BTLEmap: Nmap for Bluetooth Low Energy

The market for Bluetooth Low Energy devices is booming and, at the same ...