Bluetooth flaws allow attackers to impersonate legitimate devices

Attackers could abuse vulnerabilities discovered in the Bluetooth Core and Mesh Profile specifications to impersonate legitimate devices during the pairing process and launch man-in-the-middle (MitM) attacks.

The Bluetooth Core and Mesh Profile specifications define requirements needed by Bluetooth devices to communicate with each other and for Bluetooth devices using low energy wireless technology to enable interoperable mesh networking solutions.

Successfully exploiting the vulnerabilities found and reported by researchers at the Agence nationale de la sécurité des systèmes d'information (ANSSI), could enable the attackers to launch MitM attacks while within wireless range of vulnerable devices.

The Bluetooth Special Interest Group (Bluetooth SIG), the organization overseeing the development of Bluetooth standards, also issued security advisories earlier today, providing recommendations for each of the seven security flaws impacting the two vulnerable specs. 

Detailed information on the discovered vulnerabilities, including the affected Bluetooth specs and links to Bluetooth SIG advisories and recommendations, is available in the table embedded below.

CVE ID	Vulnerability	Affected specs	Details
CVE-2020-26559	Bluetooth Mesh Profile AuthValue leak	Mesh Profile Spec, v1.0 to v1.0.1	SIG Security Notice
CVE-2020-26556	Malleable commitment in Bluetooth Mesh Profile provisioning	Mesh Profile Spec, v1.0 to v1.0.1	SIG Security Notice
CVE-2020-26557	Predictable Authvalue in Bluetooth Mesh Profile provisioning leads to MITM	Mesh Profile Spec, v1.0 to v1.0.1	SIG Security Notice
CVE-2020-26560	Impersonation attack in Bluetooth Mesh Profile provisioning	Mesh Profile Spec, v1.0 to v1.0.1	SIG Security Notice
CVE-2020-26555	Impersonation in the BR/EDR pin-pairing protocol	Core Spec, v1.0B to 5.2	SIG Security Notice
N/A	Authentication of the Bluetooth LE legacy-pairing protocol	Core Spec, v4.0 to 5.2	SIG Security Notice
CVE-2020-26558	Impersonation in the Passkey entry protocol	Core Spec, v2.1 to 5.2	SIG Security Notice

"The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches," the organization said.

"As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers."

VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure https://t.co/qKx4Of6L9V

— US-CERT (@USCERT_gov) May 24, 2021

Impacted vendors work on patching the flaws

The Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology, and Cradlepoint are among the vendors identified so far with products impacted by these security flaws, according to the Carnegie Mellon CERT Coordination Center (CERT/CC).

AOSP is working on publishing security updates to address the CVE-2020-26555 and CVE-2020-26558 vulnerabilities affecting Android devices.

"Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin," AOSP told CERT/CC.

Cisco is also working on patching the CVE-2020-26555 and CVE-2020-26558 issues impacting its products.

"Cisco is tracking these vulnerabilities via incident PSIRT-0503777710," the company said.

"Cisco has investigated the impact of the aforementioned Bluetooth Specification vulnerabilities and is currently waiting for all the individual product development teams to provide Software fixes to address them."

"We have a production release of our NetCloud OS code available (NCOS version 7.21.40) that fixes the cited issues," Cradlepoint told BleepingComputer. "As a result, we consider this security vulnerability remediated."

Although affected by some of the flaws, Intel, and Red Hat did not provide statements to CERT/CC before the vulnerabilities were disclosed.

Update: Added Cradlepoint statement.