Bluetooth Attacks
An attack is a class of vulnerabilities. The focus here is on attacks to the Bluetooth Specification and BlueZ.
Bluetooth Spec
The Bluetooth Core Specification (5.4 PDF) is defined by the Bluetooth SIG. It defines Bluetooth.
ClassicBondedOnly
Bluetooth allows non-MITM-safe methods to associate devices. That is not an endorsement from the Bluetooth SIG. This is required for certain “legacy” devices which lack the hardware or software for such pairing (e.g., Security Mode 4 Level 2 JustWorks Secure Simple Pairing is meant for hardware enablement, not security).
In CVE-2020-0556 and CVE-2023-45866 an attacker establishes authentication with a discoverable host by requesting simple pairing (i.e., no MITM protections like Passkey auth). Doing so with a HID/keyboard-mouse allows keylogging and input control to the host system.
BlueZ’ CVE-2023-45866 was caused because: (1) the CVE-2020-0556 fix did not use safe defaults, (2) nearly all downstreams did not opt-into configuring safe settings, and (3) nobody noticed. Years later Marc Newlin independently rediscovered the vulnerability and landed Luiz Augusto von Dentz’ fix across downstreams.
-# Defaults to false to maximize device compatibility.
+# Defaults to true for security.
The patch commit message hints that BlueZ was not enforcing Security Mode 4 as required by the Bluetooth Spec (specifically in regards to HID devices, but it is sane to apply the ClassicBondedOnly=true
hammer).
If ClassicBondedOnly=false
is set, the system is vulnerable when discoverable.
Marc Newlin published a blog, released the hi_my_name_is_keyboard PoC, and presented at ShmooCon.