This presentation details the working of authentication in Bluetooth pairing and provisioning protocols.More precisely, we show that authentication protocols in all pairing modes of BLE and Bluetooth Classic fail to uphold their objectives.
As a result, an attacker may access sensitive services on Bluetooth devices, even when configured in the most secure mode.
Furthermore, several vulnerabilities in Bluetooth Mesh provisioning are detailed, allowing an attacker to join a Mesh network.
Due to cryptographic problems in the Mesh protocol, it is also possible to complete a MITM in the provisioning and compromise the future communications of a joining device.
Each vulnerability is explained in detail, exploitation conditions and impacts on communication security are given.
Overall, we show that there are protocol flaws in all Pairing modes and in the Mesh Provisioning.
Exploitation scenarios are provided and have been validated by practical experiments on several devices.Those were reported to the Bluetooth SIG which assigned six CVEs.
Impacts discovered range from impersonation to complete Machine in the Middle attacks between devices on the version 5.2 of the Bluetooth specification.
Tristan is an Information Security Researcher at ANSSI. He is interested in wireless security, software-defined radio.
Jose is an Information Security researcher at ANSSI, the national cybersecurity agency of France. His main interests are electromagnetic security (TEMPEST, IEMI), embedded systems security and wireless security. Jose also gives lectures on those topics in French universities. Before that he worked as a security evaluator and a pentester in a French ITSEF