Role switch before authentication

BR/EDR

In Bluetooth Classic (BR/EDR), devices operate under two possible roles:

• Central: Sets the physical parameters of the connection.
• Peripheral: Follows the Central’s instructions.

When a connection is initiated, the initiating device automatically assumes the Central role.

Role switching from Central to Peripheral is sometimes used by devices that are designed to operate only as Peripherals. However, this mechanism can be exploited to bypass authentication, since in legacy authentication only the Central authenticates the Peripheral. Attacks such as BIAS take advantage of this behavior by forcing a role switch just before authentication, allowing an attacker to impersonate a previously paired device.

To reduce this risk, the Peripheral to Central role change mechanism should be avoided unless it is strictly required for normal device operation.

Description

The role change message is produced with LMP messages and is therefore dependent on the firmware of the Bluetooth driver.

To check whether a device allows a role change from slave to master, it is necessary to have a driver that allows sending LMP role change messages at arbitrary moments of the communication.

Modifications to the CYW920819WCD2 driver firmware made as part of the BIAS PoC include a patch to change the role of the device from slave to master prior to authentication, so in conjunction with Wireshark it can be used to test control, although this requires the CYW920819EVB-02 development board, or one compatible with the “Patch ROM” mechanism.

The process consists of patching the firmware on the board (an example of how to do this is available at the BIAS repository) and using the board to initiate a connection to the audited device while capturing the communication with Wireshark. Before starting the communication it is necessary to activate the debug messages on the board, which include the LMP messages sent and received. In addition, traffic must be captured through the bluetooth monitor interface and the Broadcom debug message dissector must be used to observe and interpret the LMP messages correctly.

Just before authentication, you will observe an LMP_role_switch message being sent. If the message receives an LMP_accepted response, the device is not in compliance with the control.

Related resources

To check this control, the following resources may be useful:

Example case

We will use Wireshark with BTVS (btvs.exe -Mode wireshark) to capture packets for analysis.

There is a laptop with the Scapy tool that is performing pairing with Peripheral role to another device with the Central role. During the connection process is possible to perform an additional step called role switch.

The peripheral device receives the central device connection request through the HCI_Connection_Request command.

The Peripheral device response by accepting the connection using the HCI_Accept_Connection_Request command. It communicates its intention to function as a Central device by configuring the Role field with a value of Role field with value 0x00 (Become Central for this connection. The LM will perform the role switch.).

If the remote device accepts this role change, it will respond with the HCI_Role_Change command, and the Status field will have a value of 0x00 (A Role change has ocurred.). Any other value would indicate an error code for the procedure.

To determine whether this role switch is occurring before the authentication process, the HCI_Link_Key_Request_Reply command followed by the HCI_Command_Complete command should be located in the Wireshark capture.

If the HCI_Accept_Connection_Request command is before the two commands (HCI_Link_Key_Request_Reply / HCI_Command_Complete), it indicates a role switch before the authentication stage.

The check control FAIL if the HCI_Role_Change command with the Status field set to 0x00 is found before the authentication of the devices.