BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks

Changseok Koh; Jonghoon Kwon; Junbeom Hur

doi:10.1109/DSN53405.2022.00033

BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks

Changseok Koh, Jonghoon Kwon, Junbeom Hur

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.

Original language	English
Title of host publication	Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	227-238
Number of pages	12
ISBN (Electronic)	9781665416931
DOIs	https://doi.org/10.1109/DSN53405.2022.00033
Publication status	Published - 2022
Event	52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 - Baltimore, United States Duration: 2022 Jun 27 → 2022 Jun 30

Publication series

Name	Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

Conference

Conference	52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
Country/Territory	United States
City	Baltimore
Period	22/6/27 → 22/6/30

Bibliographical note

Funding Information:
This work was supported by IITP grant funded by the MSIT, Korea (No.2019-0-00533, IITP-2022-2020-0-01819, IITP-2021-0-01810) and Basic Science Research Program through the National Research Foundation funded by the Ministry of Education, Korea(NRF-2021R1A6A1A13044830).

Publisher Copyright:
© 2022 IEEE.

Keywords

Bluetooth attack
Bluetooth impersonation
Bluetooth link key
Bluetooth security
Link key extraction
Page blocking

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture
Information Systems
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/DSN53405.2022.00033

Cite this

Koh, C., Kwon, J., & Hur, J. (2022). BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks. In Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 (pp. 227-238). (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN53405.2022.00033

BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks. / Koh, Changseok; Kwon, Jonghoon; Hur, Junbeom.
Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc., 2022. p. 227-238 (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Koh, C, Kwon, J & Hur, J 2022, BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks. in Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022, Institute of Electrical and Electronics Engineers Inc., pp. 227-238, 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022, Baltimore, United States, 22/6/27. https://doi.org/10.1109/DSN53405.2022.00033

Koh C, Kwon J, Hur J. BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks. In Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 227-238. (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022). doi: 10.1109/DSN53405.2022.00033

Koh, Changseok ; Kwon, Jonghoon ; Hur, Junbeom. / BLAP : Bluetooth Link Key Extraction and Page Blocking Attacks. Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 227-238 (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022).

@inproceedings{982ac3a69e7c4e38bec3c8e9fa302c24,

title = "BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks",

abstract = "Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100\% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.",

keywords = "Bluetooth attack, Bluetooth impersonation, Bluetooth link key, Bluetooth security, Link key extraction, Page blocking",

author = "Changseok Koh and Jonghoon Kwon and Junbeom Hur",

note = "Funding Information: This work was supported by IITP grant funded by the MSIT, Korea (No.2019-0-00533, IITP-2022-2020-0-01819, IITP-2021-0-01810) and Basic Science Research Program through the National Research Foundation funded by the Ministry of Education, Korea(NRF-2021R1A6A1A13044830). Publisher Copyright: {\textcopyright} 2022 IEEE.; 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 ; Conference date: 27-06-2022 Through 30-06-2022",

year = "2022",

doi = "10.1109/DSN53405.2022.00033",

language = "English",

series = "Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "227--238",

booktitle = "Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022",

}

TY - GEN

T1 - BLAP

T2 - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

AU - Koh, Changseok

AU - Kwon, Jonghoon

AU - Hur, Junbeom

N1 - Funding Information: This work was supported by IITP grant funded by the MSIT, Korea (No.2019-0-00533, IITP-2022-2020-0-01819, IITP-2021-0-01810) and Basic Science Research Program through the National Research Foundation funded by the Ministry of Education, Korea(NRF-2021R1A6A1A13044830). Publisher Copyright: © 2022 IEEE.

PY - 2022

Y1 - 2022

N2 - Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.

AB - Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.

KW - Bluetooth attack

KW - Bluetooth impersonation

KW - Bluetooth link key

KW - Bluetooth security

KW - Link key extraction

KW - Page blocking

UR - https://www.scopus.com/pages/publications/85136337287

U2 - 10.1109/DSN53405.2022.00033

DO - 10.1109/DSN53405.2022.00033

M3 - Conference contribution

AN - SCOPUS:85136337287

T3 - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

SP - 227

EP - 238

BT - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 27 June 2022 through 30 June 2022

ER -

BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this