Identifying and fixing critical design flaws in Bluetooth

Oxford University research uncovered critical flaws in the Bluetooth standard implemented in billions of devices worldwide. Through a responsible disclosure process, the flaws were remedied before they could be exploited, preventing significant harm to both manufacturers and consumers.

bluetooth logoBluetooth

bluetooth icon

The Bluetooth standard is implemented in devices used on a daily basis by billions of people worldwide, enabling them to connect seamlessly to one another through phones and other devices. Almost three billion Bluetooth devices were shipped in 2019 alone. Users rely completely on the connections being secure, so that transactions and communications can take place without malicious interference.

In 2018, research by Professor Kasper Rasmussen, in collaboration with researchers from Singapore University of Technology and Design (Nils Ole Tippenhauer, now at CISPA, and Daniele Antoniolo, now at EURECOM), discovered serious vulnerabilities in the way that Bluetooth connected and authenticated users. For communication between two devices to be secure, a secret channel has to be established and the identity of each party needs to be verified. There are very serious consequences for users if this secure channel can be broken; a third party can steal private information, forge or alter data (such as account numbers), monitor passwords, unlock and drive away a vehicle, or open a mobile phone.

Bluetooth uses session keys, randomly-generated encryption and decryption keys designed to ensure the security of a communication session between users. The research showed that Bluetooth session keys and other authentication procedures could be completely compromised by an external attacker. It was possible to intercept, monitor and manipulate communication at will, and for an attacker to impersonate a ‘safe’ device that the user had previously paired with.

Fortunately Professor Rasmussen and colleagues were the first to find these flaws, and carried out a coordinated responsible disclosure process with industry so that the vulnerabilities could be fixed before they were discovered and misused by malicious parties. They withheld public release of the research to allow time for the remediation to take place in secret. The team worked closely with Intel and other industry partners and standards bodies, providing detailed technical information and analysis, and suggesting countermeasures that they had established through their research. One of the identified flaws was evaluated by Intel as ‘Critical’, and won the team a Bug Bounty Firmware Payout of $30,000, their maximum firmware payout. This reflects the fact that the costs associated with malicious attacks can run into tens or even hundreds of millions of dollars.

Industry acted quickly, and all major manufacturers (including Intel, Microsoft, Apple, Cisco, Google and Huawei) released software patches immediately following the disclosure process. The vast majority of users would not have been aware that anything at all had changed. But since Bluetooth is in use on an enormous number of devices worldwide, and the vulnerabilities affected virtually all of them, there is no doubt that the actions of Professor Rasmussen and colleagues have helped to protect the security and privacy of a substantial proportion of the world’s population.