Breaktooth: Breaking Bluetooth Sessions Abusing Power-Saving Mode

Keiichiro Kimura; Hiroki Kuzuno; Yoshiaki Shiraishi; Masakatu Morii

Paper 2024/900

Breaktooth: Breaking Bluetooth Sessions Abusing Power-Saving Mode

Keiichiro Kimura

, Kobe University

Hiroki Kuzuno

, Kobe University

Yoshiaki Shiraishi

, Kobe University

Masakatu Morii

, Kobe University

Abstract

With the increasing demand for Bluetooth devices, various Bluetooth devices support a power-saving mode to reduce power consumption. One of the features of the power-saving mode is that the Bluetooth sessions among devices are temporarily disconnected or close to being disconnected. Prior works have analyzed that the power-saving mode is vulnerable to denial of sleep (DoSL) attacks that interfere with the transition to the power-saving mode of Bluetooth devices, thereby increasing its power consumption. However, to the best of our knowledge, no prior work has analyzed vulnerabilities or attacks on the state after transitioning to the power-saving mode. To address this issue, we present an attack that abuses two novel vulnerabilities in sleep mode, which is one of the Bluetooth power-saving modes, to break Bluetooth sessions. We name the attack Breaktooth. The attack is the first to abuse the vulnerabilities as an entry point to hijack Bluetooth sessions between victims. The attack also allows overwriting the link key between the victims using the hijacked session, enabling arbitrary command injection on the victims. Furthermore, while many prior attacks assume that attackers can forcibly disconnect the Bluetooth session using methods such as jamming to launch their attacks, our attack does not require such assumptions, making it more realistic. In this paper, we present the root causes of the Breaktooth attack and their impact. We also provide the technical details of how attackers can secretly detect the sleep mode of their victims. The attackers can easily recognize the state of the victim's Bluetooth session remotely using a standard Linux command. Additionally, we develop a low-cost toolkit to perform our attack and confirm the effectiveness of our attack. Then, we evaluate the attack on 13 types of commodity Bluetooth keyboards and mice that support the sleep mode and show that the attack poses a serious threat to Bluetooth devices supporting the sleep mode. To fix our attack, we present defenses and its proof-of-concept. We responsibly disclosed our findings to the Bluetooth SIG.

Note: This paper will be updated from time to time.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: Bluetooth power-saving mode session hijack spoofing defenses
Contact author(s): k_kimura @ stu kobe-u ac jp
kuzuno @ port kobe-u ac jp
zenmei @ port kobe-u ac jp
mmorii @ kobe-u ac jp
History: 2024-06-06: approved; 2024-06-06: received; See all versions
Short URL: https://ia.cr/2024/900
License: CC BY

BibTeX

@misc{cryptoeprint:2024/900,
      author = {Keiichiro Kimura and Hiroki Kuzuno and Yoshiaki Shiraishi and Masakatu Morii},
      title = {Breaktooth: Breaking Bluetooth Sessions Abusing Power-Saving Mode},
      howpublished = {Cryptology ePrint Archive, Paper 2024/900},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/900}},
      url = {https://eprint.iacr.org/2024/900}
}