BLERP: Bluetooth Low Energy Re-Pairing Attack😡🛜👿

#cybersecurity #iot #networking #security

printf("Hello world!");
I'm back again, lol
ofc, if i'm back there's sth i need to share y'all again and this time...kinda different (I guess?)
Most of the blog that I have written so far involved with the Machine Learning (ML) security. However, this time let's talk sth new and sth that not involve with the ML security since y'all might be alr bored of it (LMFAOOO)

This topic, we will talk about BLERP or Bluetooth Low Energy Re-Pairing which i have never leant before.... (seriously!)
So, let's learn this topic together in this post then!!!

In short summarization version this time, btw... since i got the feedback from my friends that I wrote some posts too long....

Fist of all... what is Bluetooth Low Energy Re-Pairing Attack??
Let's study of the basic concept first...
when we talk about the normal bluetooth which means 2 devices (like Device A and Device B) would like to connect each other. Their first pair (like the first meet) would require to create a secret key (like the password, let's name it as PK) which will be used during that session to communicate to each other securely (basic right?😏)

What's about the second meeting? what if they would like to repair again??

That's so easy, they just need to create the new key again !!
So just create the PK_NEW that's all what we need!!!!

But do u see any problem here? yeah you just need to create the new key (PK_NEW) to verify each other before communicating to each other but....
How you are gonna know that the one who create the new key and communicate with you is the same person you have talked to before??

This is the biggest security problem because the device never use the PK_Old from the old session to verify who you have talk to before!!

This is where the attack could perform the attack !!!!
The attack could trick the device to be the device you have talked to without you even realized !!!!

let's simulate this scenario
Alice = your Iphone 16 Plus
Bob = keyboard
Charlie = attacker (the villain)

This vulnerability can lead into this attack:

BLERP Peripheral Impersonation
Charlie can just pretend to be Bob (Alive repair with Charlie instead of Bob!!!)
BLERP Central Impersonation
Charlie can just pretend to be Alice and repair with Bob!!
Man-in-the-Middle
Charlie can just sit between both of Alice and Bob and listen your communication (including what you are typing on the password)
Double MitM (Manipulator final boss💀)

Charlie can just pretend to connect with both Alice and Bob separately which means:
Alice think Charlie is Bob...
Bob think Charlie is Alice
This way... Charlie can control many things bro...

How these attacks can happens...?

No authentication
Security downgrade
Weak key
Hacker can force device to reconnect (Re-pairing after session establishment error)

Ok... now we know the root problems... let's see how can solve this???

Bind the new key to the old key (since the Charlie doesn't know the old key)
If something goes wrong during connection, DON’T immediately re-pair
Enforce Enforce Security before = Security after repairing
Or another way is to enforce the new security must be equal or stronger than original pairing
Optional : Show warning if something suspicious happens
We can also use hash to provide the integrity of the communication as well... (easy method!!)
Integrate the previous fixes into the bluetooth standard... ( ideally, not enough anyways since the old devices might not get any updates...)