TY - GEN
T1 - BLAP
T2 - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
AU - Koh, Changseok
AU - Kwon, Jonghoon
AU - Hur, Junbeom
N1 - Funding Information:
This work was supported by IITP grant funded by the MSIT, Korea (No.2019-0-00533, IITP-2022-2020-0-01819, IITP-2021-0-01810) and Basic Science Research Program through the National Research Foundation funded by the Ministry of Education, Korea(NRF-2021R1A6A1A13044830).
Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.
AB - Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.
KW - Bluetooth attack
KW - Bluetooth impersonation
KW - Bluetooth link key
KW - Bluetooth security
KW - Link key extraction
KW - Page blocking
UR - http://www.scopus.com/inward/record.url?scp=85136337287&partnerID=8YFLogxK
U2 - 10.1109/DSN53405.2022.00033
DO - 10.1109/DSN53405.2022.00033
M3 - Conference contribution
AN - SCOPUS:85136337287
T3 - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
SP - 227
EP - 238
BT - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 27 June 2022 through 30 June 2022
ER -