BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks

Changseok Koh, Jonghoon Kwon, Junbeom Hur

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.

Original languageEnglish
Title of host publicationProceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages227-238
Number of pages12
ISBN (Electronic)9781665416931
DOIs
Publication statusPublished - 2022
Event52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 - Baltimore, United States
Duration: 2022 Jun 272022 Jun 30

Publication series

NameProceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

Conference

Conference52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
Country/TerritoryUnited States
CityBaltimore
Period22/6/2722/6/30

Bibliographical note

Funding Information:
This work was supported by IITP grant funded by the MSIT, Korea (No.2019-0-00533, IITP-2022-2020-0-01819, IITP-2021-0-01810) and Basic Science Research Program through the National Research Foundation funded by the Ministry of Education, Korea(NRF-2021R1A6A1A13044830).

Publisher Copyright:
© 2022 IEEE.

Keywords

  • Bluetooth attack
  • Bluetooth impersonation
  • Bluetooth link key
  • Bluetooth security
  • Link key extraction
  • Page blocking

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks'. Together they form a unique fingerprint.

Cite this