There has been no shortage of Bluetooth related attacks disclosed in recent years, including BlueBorne and BadBlueTooth among numerous others. At the Black Hat USA 2020 virtual event on August 5, a new attack was added to the list of Bluetooth vulnerabilities, with the public disclosure of BlueRepli.
Security researchers Sourcell Xu and Xin Xin described the BlueRepli attack as a way to bypass Bluetooth authentication on Android phones, without detection. In a series of recorded demos, the researchers demonstrated how, with limited or no user interaction, they were able to abuse Bluetooth to steal a target device’s phone book as well as all of the SMS text messages it had received.
For reasons, not fully shared by the researchers, the BlueRepli attack does currently not work on Apple iOS devices. Additionally, the researchers noted that they had disclosed the issues to Google and the Android Open Source Project (AOSP), but according to them, to date the issue has not been patched.
At the core of the BlueRepli attack is an abuse of what are known as Bluetooth Profiles. Xu explained that Bluetooth Profiles detail specific application scenarios that can be used to enable connectivity. For example, there is the Phone Book Access Profile (PBAP) to enable access to a user’s phone book, while the Message Access Profile (MAP) provides access to text messages.
Xu noted that a Bluetooth vulnerability disclosed in 2019 dubbed “BadBlueTooth” also took advantage of Bluetooth Profiles. Although in that attack scenario, the victim needed to install a malicious app, whereas with BadRepli, nothing needs to be installed. Any Android device within Bluetooth range can potentially be at risk from the BadRepli attack.
To help demonstrate the attack and allow others to test, the researchers created a software project called BlueRepli Plus that is set to be demonstrated during the Black Hat Arsenal tools demonstration on Augusrt 6.
How BlueRepli Works
Xu explained that there are several typical Bluetooth pairing scenarios that users are familiar with. Among the most common is when a user is presented with a yes/no dialog box to accept a connection, or gets a six digit series of numbers that needs to be entered.
There is, however, another option that is defined in the Bluetooth specification, known as ‘just works’ which, when triggered, can bypass the need for user interaction to enable a connection. With BlueRepli, the researchers claimed that it was possible to bypass the authentication in several ways including making use of the just works option.
Xu explained that in a deception-based attack, the attacker first gets the victim’s Bluetooth address by simple scanning. The attacker pretends to be a Bluetooth device and a well-known application name like Skype (for example) and requests the victim’s Android phone for a phone book or short messages. After the victim grants the attacker permission due to deception, the attacker can get the data.
The other attack that Xu described is a vulnerability-based attack where the attacker first obtains two Bluetooth device addresses by scanning. The first address is the victim’s Bluetooth address, while the second is an address that has obtained the access permission of the victim, like Bluetooth headsets that belong to the victim. The attacker changes his address to the second address, and then directly requests data (phone book and SMS) from the victim.
“Data will be passed back to the attacker without the victim’s knowledge,” Xu said.