In 2023 there were several security flaws in the tech department. Now, the latest one relates to Bluetooth connectivity.
The latest flaw is called BLUFFS, a flaw by virtue of which it is possible to violate the secrecy of Bluetooth sessions, allowing device impersonation and man-in-the-middle (MitM) attacks.
BLUFFS is the new Bluetooth flaw
BLUFFS exploits two previously unknown flaws in the Bluetooth standard relating to the way session keys are derived to decrypt data in exchange and, crucially, they are not specific to hardware or software configurations but are instead “architectural” in the sense which affect Bluetooth at a fundamental level.
The issues in question are identified by the acronym CVE-2023-24023 and affect the Bluetooth Core Specification from version 4.2 (launched in 2014) to version 5.4 (released in February 2023).
BLUFFS would be able to put the security of billions of devices at risk, obviously including notebooks, smartphones and other mobile devices.
BLUFFS leverages a variety of exploits, and executing the attack assumes the attacker is within Bluetooth range of the two devices exchanging data and impersonates one to negotiate a weak session key with the other.
EURECOM staff put the potential of BLUFFS to the test, simulating six attacks against various devices and the results are summarized in the following table, which includes smartphones (Android and iOS), headphones and other devices: