Bluetooth flaw exposes personal data

Security researchers have discovered vulnerabilities in the Bluetooth standard. They can allow an attacker to impersonate other devices to connect. Computers, mobiles, connected accessories, no device is spared.

After the big Bluetooth flaw that impacted Android mobiles last February, here is a new vulnerability that again affects the wireless connection module. This time, the concern concerns all devices, whether mobile, computers or connected accessories. Researchers from the École Polytechnique Fédérale de Lausanne (EPFL) have indeed discovered that a component of the Bluetooth standard suffers from a vulnerability  that can allow an attacker to impersonate a device that has already been paired .

When two Bluetooth devices are paired for the first time, they exchange a long-term encryption key . It is stored to speed up and secure the connection. When the attacker connects, he will imitate the Bluetooth address of the already paired accessory. At the very start of the association process, in order to avoid supplying the encryption key, he can then reverse the roles and pretend to be the master device, which allows him to ensure the link without authentication .

No parade exists

The pirate can pretend to be a headset, or a connected watch , for example. Once connected, he can recover the data he wants. The researchers named the BIAS technique , for  Bluetooth Impersonation Attacks . Whether chips, Qualcomm, Apple, Intel , Cypress, Samsung or CSR, they were able to successfully test this attack on around thirty devices. The bug coming from the firmware of the Bluetooth module, the standardization body of this standard is working to correct it in the next versions of Bluetooth.

Chip manufacturers are also encouraged to update their firmware . It remains unclear whether they will all apply it and when. In the meantime, apart from deactivating the Bluetooth module, there is no way to get through this flaw . Of course, such an attack remains concretely unlikely, unless it is precisely targeted, since it is necessary to be close to the victim.