Man-In-The-Middle attacks on bluetooth: a comparative analysis, a novel attack, and countermeasures

Abstract: We provide a comparative analysis of the existing MITM (Man-In-The-Middle) attacks on Bluetooth. In addition, we propose a novel Bluetooth MITM attack against Bluetoothenabled printers that support SSP (Secure Simple Pairing). Our attack is based on the fact that the security of the protocol is likely to be limited by the capabilities of the least powerful or the least secure device type. Moreover, we propose improvements to the existing Bluetooth SSP in order to make it more secure.

“…SSP uses four association models: OOB, Numeric Comparison, Passkey Entry, and Just Works (see Chap. However, it has been shown that MITM attacks against Bluetooth 2.1+EDR/3.0+HS/4.0 devices are possible by forcing the victim devices to use the Just Works association model [2,[9][10][11][12][13][14][15][16][17][18][19][20][21][22][23] (see Chap. The choice of association model depends on the device's IO capabilities (see Table 2.1 in Chap.…”

“…The attacking device is set to require authentication and encryption for each connection with the printer (see rows [14][15]. After the successful authentication with the printer (see rows [19][20][21][22][23][24][25], the attacking device abuses it by printing funny pictures, dozens of pages of random text, and various hoax documents (see rows [26][27][28]. After the successful authentication with the printer (see rows [19][20][21][22][23][24][25], the attacking device abuses it by printing funny pictures, dozens of pages of random text, and various hoax documents (see rows [26][27][28].…”

“…Our security analysis tool supports the automatic discovery and recognition of Bluetoothenabled printers in range. Finally, the attacking device simultaneously denies all legitimate printer users access to all four Bluetooth-enabled printers (see rows [17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34] [2,69]. If several Bluetooth-enabled printers are detected, several Bluetooth USB dongles will also automatically be used in parallel, i.e., one Bluetooth USB dongle is used for each detected Bluetooth-enabled printer.…”

“…Our MITM attacks on SSP, BT-Niño-MITM attack [2,20], BT-SSP-OOB-MITM attack [2,22], BT-SSP-Printer-MITM attack [2,21], and BT-SSP-HS/HF-MITM attack [2,22] as well as a SSP MITM attack of Suomalainen et al [19], are described in Sect. 5.1.…”

“…The main features of a BT-SSP-OOB-MITM attack [2,22] We call our third attack a BT-SSP-Printer-MITM attack [2,21] (also referred to as a Bluetooth-Secure Simple Pairing-Printer-Man-In-The-Middle attack). The MITM impersonates the legitimate devices: The MITM uses two Bluetooth devices with BD_ADDRs and Bluetooth names equal to those of the victim devices, i.e., the user becomes confident that the pairing is proceeding correctly and securely.…”

Bluetooth Security Attacks

“…SSP uses four association models: OOB, Numeric Comparison, Passkey Entry, and Just Works (see Chap. However, it has been shown that MITM attacks against Bluetooth 2.1+EDR/3.0+HS/4.0 devices are possible by forcing the victim devices to use the Just Works association model [2,[9][10][11][12][13][14][15][16][17][18][19][20][21][22][23] (see Chap. The choice of association model depends on the device's IO capabilities (see Table 2.1 in Chap.…”

“…The attacking device is set to require authentication and encryption for each connection with the printer (see rows [14][15]. After the successful authentication with the printer (see rows [19][20][21][22][23][24][25], the attacking device abuses it by printing funny pictures, dozens of pages of random text, and various hoax documents (see rows [26][27][28]. After the successful authentication with the printer (see rows [19][20][21][22][23][24][25], the attacking device abuses it by printing funny pictures, dozens of pages of random text, and various hoax documents (see rows [26][27][28].…”

“…Our security analysis tool supports the automatic discovery and recognition of Bluetoothenabled printers in range. Finally, the attacking device simultaneously denies all legitimate printer users access to all four Bluetooth-enabled printers (see rows [17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34] [2,69]. If several Bluetooth-enabled printers are detected, several Bluetooth USB dongles will also automatically be used in parallel, i.e., one Bluetooth USB dongle is used for each detected Bluetooth-enabled printer.…”

“…Our MITM attacks on SSP, BT-Niño-MITM attack [2,20], BT-SSP-OOB-MITM attack [2,22], BT-SSP-Printer-MITM attack [2,21], and BT-SSP-HS/HF-MITM attack [2,22] as well as a SSP MITM attack of Suomalainen et al [19], are described in Sect. 5.1.…”

“…The main features of a BT-SSP-OOB-MITM attack [2,22] We call our third attack a BT-SSP-Printer-MITM attack [2,21] (also referred to as a Bluetooth-Secure Simple Pairing-Printer-Man-In-The-Middle attack). The MITM impersonates the legitimate devices: The MITM uses two Bluetooth devices with BD_ADDRs and Bluetooth names equal to those of the victim devices, i.e., the user becomes confident that the pairing is proceeding correctly and securely.…”

Bluetooth Security Attacks

A hybrid NFC–Bluetooth secure protocol for Credit Transfer among mobile phones

Radio Frequency (RF) Security in Industrial Engineering Processes