Paper 2024/900

Breaktooth: Breaking Bluetooth Sessions Abusing Power-Saving Mode

Keiichiro Kimura, Kobe University
Hiroki Kuzuno, Kobe University
Yoshiaki Shiraishi, Kobe University
Masakatu Morii, Kobe University
Abstract

With the increasing demand for Bluetooth devices, various Bluetooth devices support a power-saving mode to reduce power consumption. One of the features of the power-saving mode is that the Bluetooth sessions among devices are temporarily disconnected or close to being disconnected. Prior works have analyzed that the power-saving mode is vulnerable to denial of sleep (DoSL) attacks that interfere with the transition to the power-saving mode of Bluetooth devices, thereby increasing its power consumption. However, to the best of our knowledge, no prior work has analyzed vulnerabilities or attacks on the state after transitioning to the power-saving mode. To address this issue, we present an attack that abuses two novel vulnerabilities in sleep mode, which is one of the Bluetooth power-saving modes, to break Bluetooth sessions. We name the attack Breaktooth. The attack is the first to abuse the vulnerabilities as an entry point to hijack Bluetooth sessions between victims. The attack also allows overwriting the link key between the victims using the hijacked session, enabling arbitrary command injection on the victims. Furthermore, while many prior attacks assume that attackers can forcibly disconnect the Bluetooth session using methods such as jamming to launch their attacks, our attack does not require such assumptions, making it more realistic. In this paper, we present the root causes of the Breaktooth attack and their impact. We also provide the technical details of how attackers can secretly detect the sleep mode of their victims. The attackers can easily recognize the state of the victim's Bluetooth session remotely using a standard Linux command. Additionally, we develop a low-cost toolkit to perform our attack and confirm the effectiveness of our attack. Then, we evaluate the attack on 13 types of commodity Bluetooth keyboards and mice that support the sleep mode and show that the attack poses a serious threat to Bluetooth devices supporting the sleep mode. To fix our attack, we present defenses and its proof-of-concept. We responsibly disclosed our findings to the Bluetooth SIG.

Note: This paper will be updated from time to time.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Bluetoothpower-saving modesession hijackspoofingdefenses
Contact author(s)
k_kimura @ stu kobe-u ac jp
kuzuno @ port kobe-u ac jp
zenmei @ port kobe-u ac jp
mmorii @ kobe-u ac jp
History
2024-06-06: approved
2024-06-06: received
See all versions
Short URL
https://ia.cr/2024/900
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/900,
      author = {Keiichiro Kimura and Hiroki Kuzuno and Yoshiaki Shiraishi and Masakatu Morii},
      title = {Breaktooth: Breaking Bluetooth Sessions Abusing Power-Saving Mode},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/900},
      year = {2024},
      url = {https://eprint.iacr.org/2024/900}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.