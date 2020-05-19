A paper has detailed how some Apple devices are vulnerable to short-range BIAS attacks, where an attacker impersonates a previously trusted Bluetooth device.

The paper is titled 'BIAS: Bluetooth Impersonation AttackS' and part of its abstract states:

Abstract—Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS).

As 9to5Mac notes, the paper is incredibly technical, but the upshot is that an attacker can use a device using low-cost equipment like a Rasberry Pi, pretending to be a previously trusted Bluetooth devices. Using something called 'role-switching', so rather than your device authenticating the remote device, it happens the other way around. A bug means your device agrees to this without question. The report concludes:

As a result of a BIAS attack, an attacker completes secure connection establishment while impersonating Bluetooth master and slave devices, without having to know and authenticate the long term key shared between the victims. The BIAS attacks are standard-compliant, and are effective against Legacy Secure Connections (using the legacy authentication procedure) and Secure Connections (using the secure authentication procedure). The BIAS attacks are the first uncovering issues related to Bluetooth's secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades. The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.

