• Menu
  • Product
  • Email
  • PDF
  • Order now

  • Bluetooth Basic Rate/Enhanced Data Rate – Bluetooth Impersonation Attacks (BIAS)

    • SWRA675 May   2020 CC2560 , CC2560B , CC2564 , CC2564B , CC2564C , CC2564MODA , CC2564MODN , WL1831MOD , WL1835MOD , WL1837MOD

       

  • CONTENTS
  • SEARCH
  • Bluetooth Basic Rate/Enhanced Data Rate – Bluetooth Impersonation Attacks (BIAS)
  1.   1
  2.   TI-PSIRT-2020-040043
  3. IMPORTANT NOTICE
search No matches found.
  • Full reading width
    • Full reading width
    • Comfortable reading width
    • Expanded reading width
  • Card for each section
  • Card with all content

 

PSIRT Notification

Bluetooth Basic Rate/Enhanced Data Rate – Bluetooth Impersonation Attacks (BIAS)

TI-PSIRT-2020-040043

CVEID: CVE-2020-10135

Publication date: May 18, 2020

Summary

Bluetooth® Special Interest Group (SIG) has issued recommendations based on findings from researchers at the École Polytechnique Fédérale de Lausanne (EPFL) regarding a potential security vulnerability, in which the attacking device spoofs the address of a previously paired remote device and successfully completes the authentication procedure with a paired/bonded device while not possessing the link key.

Affected products and versions

TI dual-mode Bluetooth controllers with BR/EDR support: CC256x, CC256xB, CC2564C, WL12xx and WL18xx.

Potentially impacted features

An attacking device would need to be within wireless range of a potentially vulnerable Bluetooth device that has bonded with a remote Bluetooth device known to the attacker. If the previous pairing procedure was completed using secure connections mode, the attacker claims to be the previously paired remote device, no longer supporting secure connections by clearing bits in its feature mask (bits 67, 136 – secure connections host and controller support). If the attacker can either downgrade authentication in this manner or attack a device that does not support secure connections, the attacker initiates a master-slave role switch to place itself into the master role and become the authentication initiator.

Suggested mitigations

Bluetooth SIG recommends that the Bluetooth Erratum 11838 be implemented to mitigate this issue. Please see the details on TI’s implementation of the erratum. All TI dual-mode Bluetooth controllers have mechanisms to implement the Erratum 11838 minimum link key size, which ensures that the encryption stage exchange will fail. As a result, the attacker will be disconnected and a repairing or mutual authentication process would be needed for the device to establish a connection.

Bluetooth SIG also recommends denial of master-slave role switch during authentication and the implementation of mutual authentication. TI’s dual-mode Bluetooth controllers do not allow role switch during the authentication process. However, mutual authentication has not been implemented due to tested interoperability issues. For further details on the recommendations, please see the Bluetooth SIG notice regarding the Bluetooth Impersonation Attacks (BIAS).

External references

  • Bluetooth SIG notice regarding the Bluetooth Impersonation Attacks (BIAS)
  • CVE-2020-10135
  • École Polytechnique Fédérale de Lausanne (EPFL)

Revision history

  • Version 1.0 Initial publication

 
Texas Instruments

© Copyright 1995-2025 Texas Instruments Incorporated. All rights reserved.
Submit documentation feedback | IMPORTANT NOTICE | Trademarks | Privacy policy | Cookie policy | Terms of use | Terms of sale