Mutual authentication
BR/EDR
During the Bluetooth authentication process, it is not necessary for the two devices involved to check each other’s identity, which can lead to spoofing attacks, where a malicious device can impersonate another device.
The authentication process can be performed using the following methods:
-
Legacy Authentication: Performs authentication unilaterally, from master to slave, and may allow the master of a communication to be unauthenticated. It should be avoided as it allows spoofing attacks. -
Secure Authentication: Requires authentication of both parties to the communication, preventing either party from being spoofed by a malicious device.
Description
To check if the device supports Legacy Authentication, it is necessary to modify the LMP capabilities of the Bluetooth driver of the auditor. The LMP features indicate the functionalities supported by the Bluetooth driver. In particular, the “Secure Connections (Host Support)” and “Secure Connections (Controller Support)” capabilities indicate whether the host and the controller support Secure Connection type connections, which require the Secure Authentication authentication method.
To check whether the device can be forced to downgrade the authentication security to Legacy Authentication, set the bits corresponding to the Secure Connections (Host Support) and Secure Connections (Controller Support) capabilities to 0.
Depending on the controller manufacturer, this will be possible using a specific HCI message. In the case of the CYW920819EVB-02 development board, the manufacturer, Broadcom, allows writes to RAM through an HCI message, and, thanks to the PoC of the BIAS vulnerability, the location in memory of the bit strings corresponding to the LMP features is known, so we can overwrite them while ensuring that the device indicates that “Secure Connection” connections are not supported.
After modifying the driver capabilities, a connection to the audited device is initiated. If the device initiates authentication via Legacy Authentication the control is not enforced.
Related resources
To check this control, the following resources may be useful:
| ID | Description |
|---|---|
| BSAM-RES-04 | Bluetooth connections sniffing |
| BSAM-RES-05 | Capture of a Bluetooth connection |
| BSAM-RES-06 | Enabling debug mode on a Bluetooth controller |
| BSAM-RES-07 | Sending and receiving HCI messages |
| BSAM-RES-09 | Changing the attributes of a controller |
Example case
We will use Wireshark with BTVS (btvs.exe -Mode wireshark) to capture packets for analysis.
To enable mutual authentication between two devices, one Central and the other Peripheral, it is necessary for the device’s host to support secure connections. This is achieved by setting a value of 0x01 (Secure_Connections_Host_Support is ‘enabled’. Host supports Secure Connections.) in the Secure_Connections_Host_Support field of the _HCI_Write_Secure_Connections_Host_Support_t command.
This packet should be identified in Wireshark captures, during the pairing process, between the Central and Peripheral devices to verify its value. The absence of this packet indicates that the devices did not configure the connection securely.
The check control FAIL if the HCI_Write_Secure_Connections_Host_Support command is not found or if the value of the Secure_Connections_Host_Support field is different from 0x01.
