Apple devices vulnerable to short-range Bluetooth exploit

iPhone with a speaker (Image credit: iMore)

What you need to know

A report has detailed how some Apple devices are vulnerable to short-range Bluetooth attacks.
The problem involves attackers impersonating previously trusted Bluetooth devices.
It affects the iPhone 8, 2018 iPad, 2017 MacBook Pro, and all older devices.

A paper has detailed how some Apple devices are vulnerable to short-range BIAS attacks, where an attacker impersonates a previously trusted Bluetooth device.

The paper is titled 'BIAS: Bluetooth Impersonation AttackS' and part of its abstract states:

Abstract—Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS).

As 9to5Mac notes, the paper is incredibly technical, but the upshot is that an attacker can use a device using low-cost equipment like a Rasberry Pi, pretending to be a previously trusted Bluetooth devices. Using something called 'role-switching', so rather than your device authenticating the remote device, it happens the other way around. A bug means your device agrees to this without question. The report concludes:

As a result of a BIAS attack, an attacker completes secure connection establishment while impersonating Bluetooth master and slave devices, without having to know and authenticate the long term key shared between the victims. The BIAS attacks are standard-compliant, and are effective against Legacy Secure Connections (using the legacy authentication procedure) and Secure Connections (using the secure authentication procedure). The BIAS attacks are the first uncovering issues related to Bluetooth's secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades. The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.

You can read the full report here

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9