Tamarin-Based Analysis of Bluetooth Uncovers Two Practical Pairing Confusion Attacks

Tristan Claverie, Gildas Avoine, Stéphanie Delaune, and José Lopes-Esteves. Tamarin-Based Analysis of Bluetooth Uncovers Two Practical Pairing Confusion Attacks. In Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS'23) - Part III, pp. 100–119, Lecture Notes in Computer Science 14346, Springer, The Hague, The Netherlands, 2023.

Download

[PDF] 

Abstract

This paper provides a Tamarin-based formal analysis of all key-agreement protocols available in Bluetooth technologies, i.e., Bluetooth BR/EDR, Bluetooth Low Energy, and Bluetooth Mesh. The automated analysis found several unreported attacks, including two attacks that exploit the confusion of Pairing modes, which occurs when a communicating party uses the Secure Pairing mode while the other one uses the Legacy Pairing mode. They have been validated in practice using off-the-shelf implementations for the genuine communicating parties, and a custom BR/EDR machine-in-the-middle framework for the attacker. Our attacks have been reported by Bluetooth SIG as CVEs.

BibTeX

@inproceedings{CADL-esorics23,
abstract = {This paper provides a Tamarin-based formal analysis of all key-agreement protocols available in Bluetooth technologies, 
i.e., Bluetooth BR/EDR, Bluetooth Low Energy, and Bluetooth Mesh. The automated analysis found several unreported attacks, 
including two attacks that exploit the confusion of Pairing modes, which occurs when a communicating party uses the Secure 
Pairing mode while the other one uses the Legacy Pairing mode. They have been validated in practice using off-the-shelf 
implementations for the genuine communicating parties, and a custom BR/EDR machine-in-the-middle framework for the attacker. 
Our attacks have been reported by Bluetooth SIG as CVEs.},
  author       = {Tristan Claverie and
                  Gildas Avoine and
                  St{\'{e}}phanie Delaune and
                  Jos{\'{e}} Lopes{-}Esteves},
  editor       = {Gene Tsudik and
                  Mauro Conti and
                  Kaitai Liang and
                  Georgios Smaragdakis},
  title        = {Tamarin-Based Analysis of Bluetooth Uncovers Two Practical Pairing
                  Confusion Attacks},
  booktitle    = {{P}roceedings of the 28th European Symposium on Research
                  in Computer Security ({ESORICS}'23) - Part III},
address = {The Hague, The Netherlands}, 
nmonth = {9},
  series       = {Lecture Notes in Computer Science},
  volume       = {14346},
  pages        = {100--119},
  publisher    = {Springer},
  year         = {2023},
  lsv-category =  {intc},
  wwwpublic =     {public and ccsb},
}

Parts of this page have been generated by bib2html.pl (written by Patrick Riley ) on Sun Sep 01, 2024 13:51:05