Researchers discover 'severe' bluetooth communication breach

July 26, 2018, Technion-Israel Institute of Technology
Credit: CC0 Public Domain

Researchers in the Technion-Israel Institute of Technology Computer Science Department and the Hiroshi Fujiwara Cyber Security Research Center at the Technion have successfully deciphered Bluetooth communication, which was previously considered a safe communication channel against breaches. This was done as part of Lior Neumann's master's thesis, supervised by Prof. Eli Biham, head of the Hiroshi Fujiwara Cyber Security Research Center.

Bluetooth technology, developed in the 1990s, quickly became a popular platform thanks to its simplicity of use. Unlike Wi-Fi, Bluetooth is not based on a network connecting several devices to one another but rather on the individual pairing of two devices (e.g. a headset and a telephone). This method allows convenient use and configuration and makes securing communication between devices easier.

When using a Bluetooth headset, for example, the user must confirm the action on his phone. A connection is then established between the headset and the phone: an encrypted channel is formed between the two devices. Over the years, Bluetooth technology has developed and expanded, and has advanced to the latest encryption technologies. For this reason, this technology was widely considered immune to attack. And thanks to its simplicity and low cost, Bluetooth technology is present in almost every technological consumer such as wearable equipment, car speakers, smart TVs, smart clocks, keyboards, and computers. It also supports Internet connections, printers and faxes.

After a year of theoretical and experimental work, Neumann and Prof. Biham developed an offensive that exposes a vulnerability in all the latest versions of Bluetooth. According to Prof. Biham, who is considered to be one of the world's most prominent researchers in cryptography, "The technology we developed reveals the encryption key shared by the devices and allows us, or a third device, to join the conversation. We can eavesdrop on or sabotage a conversation. As long as we do not actively participate, the user has no way of knowing that there is a third party listening in."

Bluetooth device coupling uses a mathematical concept called ECC: elliptic-curve cryptography. At the moment of coupling, the Bluetooth devices use points on a mathematical structure called an elliptical curve to determine a common secret key on which encryption is based. The Technion researchers found a point with special properties located outside the curve, which allows them to determine the result of the calculation without being identified as malicious by the device. Using that point, they set the encryption key that will be used by the two coupled components.

The offensive developed by Neumann and Prof. Biham is relevant to both aspects of Bluetooth – the hardware (chip) and the operating system (such as Android or iOS) in both devices (the headset and phone in the case of the example above) – and threatens the newest versions of the international standard. The Technion researchers contacted the CERT Coordination Center at Carnegie Mellon University and Bluetooth SIG and informed them of the breach they discovered. "We also contacted major international companies including Intel, Google, Apple, Qualcomm, and Broadcom, which hold most of the relevant market, and informed them about the breach and ways to fix it," said Prof. Biham. "Google defined the breach as 'severe' and distributed an update about a month ago; Apple released an update this week. Other manufacturers who heard about the breach contacted us in order to check their products."

Explore further: IPhone 4S first phone for low-power Bluetooth

More information: More information can be found here: www.cs.technion.ac.il/~biham/BT/

Related Stories

IPhone 4S first phone for low-power Bluetooth

October 24, 2011

The iPhone 4S has a little-heralded feature that makes it unique among phones, at least for a while: It can talk to a new class of wireless devices, such as watches and glucose and heart-rate monitors.

Bluetooth group ushers in updated Bluetooth 4.1

December 6, 2013

(Phys.org) —The Bluetooth Special Interest Group (SIG), the regulatory body responsible for the standard, announced on Wednesday its release of an updated version of the specification, Bluetooth 4.1. This is the first new ...

Mesh networking announcement, new spec from Bluetooth

July 19, 2017

(Tech Xplore)—Mesh-networking capabilities now in Bluetooth are making news. The Bluetooth Special Interest Group announced that Bluetooth technology has been updated with support for mesh networking, and Bluetooth published ...

Bluetooth gets smart

October 31, 2013

You may know Bluetooth as the wireless technology you use to connect your phone with your wireless headset or your car's hands-free speaker systems. But in the near future, you may use the wireless technology to do a lot ...

Recommended for you

Meteorite source in asteroid belt not a single debris field

February 17, 2019

A new study published online in Meteoritics and Planetary Science finds that our most common meteorites, those known as L chondrites, come from at least two different debris fields in the asteroid belt. The belt contains ...

Diagnosing 'art acne' in Georgia O'Keeffe's paintings

February 17, 2019

Even Georgia O'Keeffe noticed the pin-sized blisters bubbling on the surface of her paintings. For decades, conservationists and scholars assumed these tiny protrusions were grains of sand, kicked up from the New Mexico desert ...

Archaeologists discover Incan tomb in Peru

February 16, 2019

Peruvian archaeologists discovered an Incan tomb in the north of the country where an elite member of the pre-Columbian empire was buried, one of the investigators announced Friday.

Where is the universe hiding its missing mass?

February 15, 2019

Astronomers have spent decades looking for something that sounds like it would be hard to miss: about a third of the "normal" matter in the Universe. New results from NASA's Chandra X-ray Observatory may have helped them ...

What rising seas mean for local economies

February 15, 2019

Impacts from climate change are not always easy to see. But for many local businesses in coastal communities across the United States, the evidence is right outside their doors—or in their parking lots.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.