Mutual authentication

BR/EDR

During the Bluetooth authentication process, it is not necessary for the two devices involved to check each other’s identity, which can lead to spoofing attacks, where a malicious device can impersonate another device.

The authentication process can be performed using the following methods:

  • Legacy Authentication: Performs authentication unilaterally, from master to slave, and may allow the master of a communication to be unauthenticated. It should be avoided as it allows spoofing attacks.
  • Secure Authentication: Requires authentication of both parties to the communication, preventing either party from being spoofed by a malicious device.

Description

To check if the device supports Legacy Authentication, it is necessary to modify the LMP capabilities of the Bluetooth driver of the auditor. The LMP features indicate the functionalities supported by the Bluetooth driver. In particular, the “Secure Connections (Host Support)” and “Secure Connections (Controller Support)” capabilities indicate whether the host and the controller support Secure Connection type connections, which require the Secure Authentication authentication method.

To check whether the device can be forced to downgrade the authentication security to Legacy Authentication, set the bits corresponding to the Secure Connections (Host Support) and Secure Connections (Controller Support) capabilities to 0.

Depending on the controller manufacturer, this will be possible using a specific HCI message. In the case of the CYW920819EVB-02 development board, the manufacturer, Broadcom, allows writes to RAM through an HCI message, and, thanks to the PoC of the BIAS vulnerability, the location in memory of the bit strings corresponding to the LMP features is known, so we can overwrite them while ensuring that the device indicates that “Secure Connection” connections are not supported.

After modifying the driver capabilities, a connection to the audited device is initiated. If the device initiates authentication via Legacy Authentication the control is not enforced.

To check this control, the following resources may be useful:

IDDescription
BSAM-RES-04Bluetooth connections sniffing
BSAM-RES-05Capture of a Bluetooth connection
BSAM-RES-06Enabling debug mode on a Bluetooth controller
BSAM-RES-07Sending and receiving HCI messages
BSAM-RES-09Changing the attributes of a controller

Example case

We will use Wireshark with BTVS (btvs.exe -Mode wireshark) to capture packets for analysis.

To enable mutual authentication between two devices, one Central and the other Peripheral, it is necessary for the device’s host to support secure connections. This is achieved by setting a value of 0x01 (Secure_Connections_Host_Support is ‘enabled’. Host supports Secure Connections.) in the Secure_Connections_Host_Support field of the _HCI_Write_Secure_Connections_Host_Support_t command.

This packet should be identified in Wireshark captures, during the pairing process, between the Central and Peripheral devices to verify its value. The absence of this packet indicates that the devices did not configure the connection securely.

The check control FAIL if the HCI_Write_Secure_Connections_Host_Support command is not found or if the value of the Secure_Connections_Host_Support field is different from 0x01.