BlueBump Attack is an attack in which the attacker first connects to the Bluetooth device of the victim and exploits that to delete the link key of the victim’s device and gets unlimited access to the device thereafter.
What is a link key?
To provide secure communication of data, Bluetooth provides us the functionality of authentication. Whenever a Bluetooth device wants to pair with another Bluetooth device, both of them have to provide a PIN. After that, a verification process starts and if the other device is successfully authenticated, a connection is established.
When a device A wants to communicate with device B, both the devices enter a PIN. A 128-bit long link key is then generated from the entered PIN. Device A then sends a 128-bit random challenge to device B, which wants to connect to device A. Device B then uses its 48-bit address or BD_ADDR, link key and the random challenge as inputs and applies E1 algorithm to calculate the response to the random challenge. Device B then sends the response to device A. Device A verifies the response and on successful verification, it establishes connection to device B.
How is BlueBump Attack perpetrated
BlueBump Attack is named after the technique of key bumping. The attacker establishes a connection to the victim’s device and then exploits that to connect to the same device at any time like a bump key.
Attackers typically follow a couple of steps to perpetrate a BlueBump Attack:
The attacker uses social engineering and forces the victim’s device to open a Bluetooth connection with the attacker’s device. For example, the attacker may send a business card to the victim and trick the victim’s device to establish a connection with the attacker’s device.
The attacker keeps the connection open and tricks the victim’s device to delete its link key.
The attacker now requests the victim’s device for a link key regeneration.
On doing so, the victim’s device unknowingly gives unlimited access to the attacker’s device. The attacker can now exploit it to connect to the victim’s device at any time as long as the link key is not deleted again.
We can at least, take a couple of steps to safeguard our Bluetooth devices from attacks.
Turn off the Bluetooth in the devices when not in use.
Configure the Bluetooth device to use the lowest power that meets your needs. For example, Class 3 devices transmit at 1 mW which cannot communicate beyond 10 meters. And, Class 1 devices transmit at 100 mW, which cannot communicate beyong 100 meters. Adjusting power does not eliminate the possibility of outsider attack, but it can reduce the possibility to a great extent.
Do not permanently store the pairing PIN code on Bluetooth devices.
So, beware of various vulnerabilities of Bluetooth so that you can protect your devices in a better way and stay safe, stay secured.