BLUFFS Bluetooth Vulnerability Threatens Billions of Devices

BLUFFS Vulnerabilities Make Bluetooth Devices Open to Attack
Bluetooth Forward and Future Secrecy (BLUFFS) vulnerabilities can leave devices vulnerable to man-in-the-middle attacks

Eurecom has uncovered a series of exploits named “BLUFFS”, posing a significant threat to the security of Bluetooth sessions. These attacks exploit two previously unknown flaws in the Bluetooth standard, impacting versions 4.2 through 5.4 and potentially putting billions of devices, including smartphones and laptops, at risk.

BLUFFS Exploits – How Do They Work?

BLUFFS (Bluetooth Low User eavesdropping of Frequency-hopping Sessions) is a sophisticated series of attacks designed to compromise the forward and future secrecy of Bluetooth sessions, compromising the confidentiality of communications between devices. The methodology involves exploiting flaws in the session key derivation process, forcing the generation of a weak and predictable session key (SKC). The attacker then brute-forces the key, allowing them to decrypt past communications and manipulate future ones.

To execute BLUFFS, the attacker only needs to be within Bluetooth range of the targeted devices. Impersonating one device, the attacker negotiates a weak session key. Then, the other by proposing the lowest possible key entropy value and using a constant session key diversifier.

Bluetooth Forward and Future Secrecy Attacks and Defenses

Impact on Bluetooth Devices

Given the architectural nature of the flaws, BLUFFS impacts all the devices running a whole lineup of Bluetooth protocol versions. The vulnerabilities affect Bluetooth Core Specification 4.2 through 5.4, potentially exposing a vast number of devices to the exploits. The impact has been confirmed through tests on smartphones, earphones, and laptops running Bluetooth versions 4.1 through 5.2.

List of vulnerable chips/devices
Chip Device(s) BTv A1 A2 A3 A4 A5 A6
LSC Victims
Bestechnic BES2300 Pixel Buds A-Series 5.2
Apple H1 AirPods Pro 5.0
Cypress CYW20721 Jaybird Vista 5.0
CSR/Qualcomm BC57H687C-GITM-E4 Bose SoundLink 4.2
Intel Wireless 7265 (rev 59) Thinkpad X1 3rd gen 4.2
CSR n/a Logitech BOOM 3 4.2 𐄂 𐄂
SC Vietims
Infineon CYW20819 CYW920819EVB-02 5.0
Cypress CYW40707 Logitech MEGABLAST 4.2
Qualcomm Snapdragon 865 Mi 10T 5.2 𐄂 𐄂 𐄂
Apple/USI 339S00761 iPhones 12, 13 5.2 𐄂 𐄂 𐄂
Intel AX201 Portege X30-C 5.2 𐄂 𐄂 𐄂
Broadcom BCM4389 Pixel 6 5.2 𐄂 𐄂 𐄂
Intel 9460/9560 Latitude 5400 5.0 𐄂 𐄂 𐄂
Qualcomm Snapdragon 835 Pixel 2 5.0 𐄂 𐄂 𐄂
Murata 339S00199 iPhone 7 4.2 𐄂 𐄂 𐄂
Qualcomm Snapdragon 821 Pixel XL 4.2 𐄂 𐄂 𐄂
Qualcomm Snapdragon 410 Galaxy J5 4.1 𐄂 𐄂 𐄂

Bluetooth SIG, the organization overseeing Bluetooth standard development, has received Eurecom’s report. They recommend implementations to reject connections with low key strengths, utilize “Security Mode 4 Level 4” for higher encryption strength, and operate in “Secure Connections Only” mode during pairing.

Mitigation Measures

Researchers propose backward-compatible modifications to enhance session key derivation and mitigate BLUFFS and similar threats. Recommendations, however, offer only the protocol fixes, i.e. they are not about to be done by users. Sadly, but at the moment, there is not much you can do to secure the BT connection.

BLUFFS Bluetooth Vulnerability Threatens Billions of Devices

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *