One day, we will have good security, but that day is not today.
So I’m behind on security. Bluetooth pairing flaw exposes devices to BIAS attacks.
Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.
It is a specification-level vulnerability. That means EVERY Bluetooth device is vulnerable. Some will eventually be patched; many will not. The updated specification will be available “in the future.” (That’s the best info we have.)
But how often does the software in your car’s entertainment system get updated? Are there low-energy Bluetooth devices sprinkled around that won’t get updated? Of course there are.
The title of the post comes from the Show Notes for Security Now, episode 768. The notes are at this link. The video can be found at this link. The relative part of the video starts at about 1 hour, 4 minutes and a couple of seconds in. The quote of the day…
Our attacks are “standards compliant.”
Bluetooth is in literally billions of devices.
From the researchers…
To confirm that the BIAS attacks are practical, we successfully conducted them against 31Bluetooth devices (incorporating 28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.
Every Bluetooth front door lock is currently vulnerable. Many, will probably remain vulnerable for all time.