Happy MitM: Fun and Toys in Every Bluetooth Device

Jiska Classen; Matthias Hollick

arXiv:2108.07190·cs.CR·August 17, 2021

Happy MitM: Fun and Toys in Every Bluetooth Device

Jiska Classen, Matthias Hollick

PDF

TL;DR

This paper reveals that major Bluetooth stacks do not warn users about MitM attacks during pairing, violating specifications and risking security, and emphasizes the need for proper warning mechanisms.

Contribution

It uncovers the lack of user warnings in Bluetooth stacks during pairing, highlighting a critical security gap and proposing the need for compliance with specifications.

Findings

01

Major Bluetooth stacks do not warn users about MitM risks

02

This violation of specifications compromises Bluetooth security

03

Clear warnings could prevent security breaches

Abstract

Bluetooth pairing establishes trust on first use between two devices by creating a shared key. Similar to certificate warnings in TLS, the Bluetooth specification requires warning users upon issues with this key, because this can indicate ongoing Machine-in-the-Middle (MitM) attacks. This paper uncovers that none of the major Bluetooth stacks warns users, which violates the specification. Clear warnings would protect users from recently published and potential future security issues in Bluetooth authentication and encryption.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.