New Bluetooth flaws could let an attacker steal wireless communications

Researchers find new Bluetooth flaws

A team at Eurecom, a research institution, has discovered a series of security weaknesses in Bluetooth technology named "BLUFFS", or Bluetooth Forward and Future Secrecy. These weaknesses are found in the Bluetooth wireless protocol and could affect billions of devices like laptops, smartphones, and other portable gadgets.

BLUFFS affects Bluetooth versions from 4.2, which came out in December 2014, to the newest 5.4, released in February 2023. Tests show that devices using Bluetooth versions 4.1 to 5.2 are vulnerable to at least three of the six attack types, according to a report from Bleeping Computer.

That includes various iPhone, Mac, and iPad models.

The attacks aim to break Bluetooth communications' privacy, threatening current and future data exchanges. These attacks interfere with how Bluetooth creates secure keys for encrypting data.

The attacker, who needs to be within Bluetooth range, can then figure out or alter these keys to decode or tamper with the data. That requires the attacker to pretend to be one of the devices sharing data.

The researchers have found six different BLUFFS attacks, each involving different ways of impersonating devices or getting in between them (man-in-the-middle attacks). These methods work whether the devices use newer or older Bluetooth security features.

Future Bluetooth security

To improve Bluetooth's security against these threats, the researchers suggest several changes compatible with current technology. These include a new method for generating secure keys in older Bluetooth connections, a shared key for verifying key diversifiers, using only the secure mode of Bluetooth, and keeping track of session key diversifiers to prevent reusing them.

The Bluetooth SIG sets standards for Bluetooth and advises using more robust security modes and rejecting connections that don't meet specific key strength requirements for better encryption.

How to protect yourself from BLUFFS

Although it's not likely that most people will be affected by these Bluetooth flaws, there are still ways to stay safe.

A crucial step is ensuring that their devices are continually updated with the latest software releases from Apple. These updates frequently contain vital security patches that address vulnerabilities like those exploited by BLUFFS.

Additionally, it's advisable to use Apple devices that support the most recent Bluetooth standards.

Turning off Bluetooth when it's not needed reduces exposure to potential attacks. It's equally important to be careful about the devices you pair with, limiting connections to trusted devices and avoiding pairing with unknown or unverified sources.