Abstract
Bluetooth is a widely deployed standard for wireless communications between mobile devices. It uses authenticated Elliptic Curve Diffie-Hellman for its key exchange. In this paper we show that the authentication provided by the Bluetooth pairing protocols is insufficient and does not provide the promised MitM protection. We present a new attack that modifies the y-coordinates of the public keys (while preserving the x-coordinates). The attack compromises the encryption keys of all of the current Bluetooth authenticated pairing protocols, provided both paired devices are vulnerable. Specifically, it successfully compromises the encryption keys of 50% of the Bluetooth pairing attempts, while in the other 50% the pairing of the victims is terminated. The affected vendors have been informed and patched their products accordingly, and the Bluetooth specification had been modified to address the new attack. We named our new attack the “Fixed Coordinate Invalid Curve Attack”. Unlike the well known “Invalid Curve Attack” of Biehl et al. [2] which recovers the private key by sending multiple specially crafted points to the victim, our attack is a MitM attack which modifies the public keys in a way that lets the attacker deduce the shared secret.
This research was partially supported by the Technion Hiroshi Fujiwara cyber security research center and the Israel national cyber directorate.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that all of the implementations we tested did not add this validation voluntarily.
- 2.
Tested on Nexus 5X devices with Android version 8.1.
- 3.
The examined Bluetooth adapters were: Qualcomm’s QCA6174A, Broadcom’s BCM4358 and Intel’s 8265.
References
Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_16
Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_8
Diffie, W., Hellman, M.E.: New directions in cryptography. Trans. Inf. Theory IT–22(6), 644–654 (1976)
Bluetooth Special Interest Group: Specification of the bluetooth system v2.0. 0 (2004)
Bluetooth Special Interest Group: Specification of the bluetooth system v3.0. 0 (2009)
Bluetooth Special Interest Group: Specification of the bluetooth system v4.0. 0 (2010)
Bluetooth Special Interest Group: Specification of the bluetooth system v4.2. 0 (2014)
Bluetooth Special Interest Group: Specification of the bluetooth system v5.0. 0 (2016)
IEEE: Specification of the bluetooth system v1.0b. 1 (1999)
IEEE: Specification of the bluetooth system v1.1. 1 (2001)
Jager, T., Schwenk, J., Somorovsky, J.: Practical invalid curve attacks on TLS-ECDH. In: Computer Security – ESORICS 2015, vol. 1880, pp. 407–425 (2000)
Landrock, P., Kjaersgaard, J.U.: Protecting against security attack. US Patent 8077866 B2 (2013)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)
National Institute of Standards and Technology: Federal information processing standards publication 186-2 (2000)
Ossmann, M.: Project Ubertooth. http://ubertooth.sourceforge.net
Ryan, M.: Crackle cracks BLE encryption. https://github.com/mikeryan/crackle
Ryan, M.: With low energy comes low security. In: USENIX WOOT, p. 4 (2013)
Securing. Gattack. http://gattack.io
Song, J.H., Poovendran, R., Lee, J., Iwata, T.: The AES-CMAC Algorithm (4493), pp. 1–20, June 2006
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Bluetooth Versions
A Bluetooth Versions
Bluetooth has several versions. Each new version introduces extended capabilities or a complete new set of sub-protocols.
The initial releases of Bluetooth, versions 1.0 and 1.0B [9], had many problems, and manufacturers had difficulty making their products interoperable. The manufacturers included a mandatory Bluetooth hardware device address (BD_ADDR) for transmission in the connecting process, which made anonymity impossible at the protocol level. This was a major setback for certain services planned for use in Bluetooth environments.
Bluetooth versions 1.1 [10] introduced major improvements over their predecessors and addressed many of the errors found in v1.0B. New features were added, among them: RSSI for measurement of the power present in a received radio signal, faster connection, faster discovery, adaptive frequency-hopping and higher transmission speeds.
Version 2.0 [4] was released in 2004. It introduced an even faster data transfer with throughput of up to 3 Mbit/s. The throughput enhancement was due to the use of GFSK and PSK modulation. This new method of modulation is called EDR, or Enhanced Data Rate, while the older modulation is called BR, or Basic Rate. When both of the modulations are implemented together it is called BR/EDR.
Version 2.1 of the protocol added secured pairing named Secure Simple Pairing (SSP) to support Man-in-the-Middle (MitM) protection using authenticated Diffie-Hellman during the pairing stage.
Bluetooth 3.0 [5] introduced the support for an alternative MAC/PHY (AMP). AMP is a new feature, allowing the use of an alternative data channel. While the negotiation and establishment are still performed similarly to former versions, the data flow uses an alternative MAC PHY 802.11 (typically associated with Wi-Fi). The 802.11 standard defines different protocols for the physical layer and for the link layer. It is characterized by a high transfer-rate and a relatively high signal range. After the connection is established the 802.11 link encapsulates the data packets of the BT established connection. The result is a much higher transfer rate of up to 24 Mbit/s. This new feature was intended to allow streaming over Bluetooth, whose throughput was still poor compared to other protocols.
Bluetooth Core Specification version 4.0 [6] introduced a new modulation mode and link layer packet format called Bluetooth Low Energy (BTLE). BTLE is intended for use in low power embedded devices. It was rapidly adopted by various consumer devices, such as smart phones, wearable technology, sports tracking devices and recently even health and medical equipment. BTLE PHY divides the RF spectrum into 40 channels, each of which is 2 MHz in width, from 2402 MHz to 2482MHz. Three of those 40 channels are labeled as advertising channels used for pairing and discovery packets. The rest are labeled as data channels, used for establishing connections and transmission of the data. The link layer was also redesigned and a new pairing protocol was added.
On December 2014, core specification 4.2 [7] was introduced, providing several new features to the BTLE protocol intended to make it the main protocol for the IoT (Internet of Things). These features include a new LE Secure Connections mode, as well as several security and privacy related features.
The latest version of Bluetooth, released on December 2016 was version 5.0 [8]. The new version added several performance features for Bluetooth Low Energy, most of them in the physical layer of the protocol. Among the new features were extended range, higher throughput and higher advertisement capacity.
In this paper we study the pairing protocols SSP used by Bluetooth BR/EDR and LE Secure Connections used by Bluetooth Low Energy. These are the only secure pairing protocols to date.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Biham, E., Neumann, L. (2020). Breaking the Bluetooth Pairing – The Fixed Coordinate Invalid Curve Attack. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)