Paper 2024/900
Breaktooth: Breaking Security and Privacy in Bluetooth Power-Saving Mode
Abstract
With the increasing demand for Bluetooth devices, various Bluetooth devices support a power-saving mode to reduce power consumption. One of the features of the power-saving mode is that the Bluetooth sessions among devices are temporarily disconnected or are close to being disconnected. Prior works have analyzed that the power-saving mode is vulnerable to denial of sleep (DoSL) attacks that interfere with the transition to the power-saving mode of Bluetooth devices, thereby increasing its power consumption. However, to the best of our knowledge, no prior work has analyzed vulnerabilities or attacks on the state after transitioning to the power-saving mode. To address this issue, we present an attack that abuses two novel vulnerabilities in sleep mode, which is one of the Bluetooth power-saving modes, to break Bluetooth sessions. We name the attack Breaktooth. The attack is the first to abuse the vulnerabilities as an entry point to hijack Bluetooth sessions between victims. The attack also allows overwriting the link key between the victims using the hijacked session, enabling arbitrary command injection on the victims. Furthermore, while many prior attacks assume that attackers can forcibly disconnect the Bluetooth session using methods such as jamming to launch their attacks, our attack does not require such assumptions, making it more realistic. In this paper, we present the root causes of the Breaktooth attack and their impact. We also provide the technical details of how attackers can secretly detect the sleep mode of their victims. The attackers can easily recognize the state of the victim's Bluetooth session remotely using a standard Linux command. Additionally, we develop a low-cost toolkit to perform our attack and confirm the effectiveness of our attack. Then, we evaluate the attack on 17 types of commodity Bluetooth keyboards, mice and audio devices that support the sleep mode and show that the attack poses a serious threat to Bluetooth devices supporting the sleep mode. To prevent our attack, we present defenses and their proof-of-concept. We responsibly disclosed our findings to the Bluetooth SIG. We also released the toolkit as open-source.
Note: This paper will be updated from time to time.
Metadata
- Available format(s)
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Bluetoothpower-saving modesession hijackspoofingdefenses
- Contact author(s)
-
k_kimura @ stu kobe-u ac jp
kuzuno @ port kobe-u ac jp
zenmei @ port kobe-u ac jp
mmorii @ kobe-u ac jp - History
- 2024-12-06: last of 2 revisions
- 2024-06-06: received
- See all versions
- Short URL
- https://ia.cr/2024/900
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/900, author = {Keiichiro Kimura and Hiroki Kuzuno and Yoshiaki Shiraishi and Masakatu Morii}, title = {Breaktooth: Breaking Security and Privacy in Bluetooth Power-Saving Mode}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/900}, year = {2024}, url = {https://eprint.iacr.org/2024/900} }