Apple users could be affected by newly discovered Bluetooth flaws, allowing attackers to impersonate devices — even those with the newest version of Bluetooth.
A team at Eurecom, a research institution, has discovered a series of security weaknesses in Bluetooth technology named "BLUFFS", or Bluetooth Forward and Future Secrecy. These weaknesses are found in the Bluetooth wireless protocol and could affect billions of devices like laptops, smartphones, and other portable gadgets.
BLUFFS affects Bluetooth versions from 4.2, which came out in December 2014, to the newest 5.4, released in February 2023. Tests show that devices using Bluetooth versions 4.1 to 5.2 are vulnerable to at least three of the six attack types, according to a report from Bleeping Computer.
The attacks aim to break Bluetooth communications' privacy, threatening current and future data exchanges. These attacks interfere with how Bluetooth creates secure keys for encrypting data.
The attacker, who needs to be within Bluetooth range, can then figure out or alter these keys to decode or tamper with the data. That requires the attacker to pretend to be one of the devices sharing data.
The researchers have found six different BLUFFS attacks, each involving different ways of impersonating devices or getting in between them (man-in-the-middle attacks). These methods work whether the devices use newer or older Bluetooth security features.
Future Bluetooth security
To improve Bluetooth's security against these threats, the researchers suggest several changes compatible with current technology. These include a new method for generating secure keys in older Bluetooth connections, a shared key for verifying key diversifiers, using only the secure mode of Bluetooth, and keeping track of session key diversifiers to prevent reusing them.
The Bluetooth SIG sets standards for Bluetooth and advises using more robust security modes and rejecting connections that don't meet specific key strength requirements for better encryption.
How to protect yourself from BLUFFS
Although it's not likely that most people will be affected by these Bluetooth flaws, there are still ways to stay safe.
A crucial step is ensuring that their devices are continually updated with the latest software releases from Apple. These updates frequently contain vital security patches that address vulnerabilities like those exploited by BLUFFS.
Additionally, it's advisable to use Apple devices that support the most recent Bluetooth standards.
Turning off Bluetooth when it's not needed reduces exposure to potential attacks. It's equally important to be careful about the devices you pair with, limiting connections to trusted devices and avoiding pairing with unknown or unverified sources.
6 Comments
Sounds like the only protection is turning off Bluetooth. The updates and such, as of late November 2023, mean zip, zero, nada.
Oh noes, someone might be able to listen in on my music stream!
Since upgraded iPhone 15 pro and iOS 17 (now 17.1.1) I found it losing bluetooth connectivity and actually Disabled intermittently. Apple used remote diagnostics to deny any problem. When it happens, Apple watch, earphone and every bluetooth devices disconnect from a few seconds to minutes. It happens 100% when I am 50m close to an Apple Store. What’s wrong?