Skip to main content

Breaking the Bluetooth Pairing – The Fixed Coordinate Invalid Curve Attack

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11959)

Abstract

Bluetooth is a widely deployed standard for wireless communications between mobile devices. It uses authenticated Elliptic Curve Diffie-Hellman for its key exchange. In this paper we show that the authentication provided by the Bluetooth pairing protocols is insufficient and does not provide the promised MitM protection. We present a new attack that modifies the y-coordinates of the public keys (while preserving the x-coordinates). The attack compromises the encryption keys of all of the current Bluetooth authenticated pairing protocols, provided both paired devices are vulnerable. Specifically, it successfully compromises the encryption keys of 50% of the Bluetooth pairing attempts, while in the other 50% the pairing of the victims is terminated. The affected vendors have been informed and patched their products accordingly, and the Bluetooth specification had been modified to address the new attack. We named our new attack the “Fixed Coordinate Invalid Curve Attack”. Unlike the well known “Invalid Curve Attack” of Biehl et al. [2] which recovers the private key by sending multiple specially crafted points to the victim, our attack is a MitM attack which modifies the public keys in a way that lets the attacker deduce the shared secret.

This research was partially supported by the Technion Hiroshi Fujiwara cyber security research center and the Israel national cyber directorate.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-38471-5_11
  • Chapter length: 24 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-38471-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.

Notes

  1. 1.

    Note that all of the implementations we tested did not add this validation voluntarily.

  2. 2.

    Tested on Nexus 5X devices with Android version 8.1.

  3. 3.

    The examined Bluetooth adapters were: Qualcomm’s QCA6174A, Broadcom’s BCM4358 and Intel’s 8265.

References

  1. Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_16

    CrossRef  MATH  Google Scholar 

  2. Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_8

    CrossRef  Google Scholar 

  3. Diffie, W., Hellman, M.E.: New directions in cryptography. Trans. Inf. Theory IT–22(6), 644–654 (1976)

    MathSciNet  CrossRef  Google Scholar 

  4. Bluetooth Special Interest Group: Specification of the bluetooth system v2.0. 0 (2004)

    Google Scholar 

  5. Bluetooth Special Interest Group: Specification of the bluetooth system v3.0. 0 (2009)

    Google Scholar 

  6. Bluetooth Special Interest Group: Specification of the bluetooth system v4.0. 0 (2010)

    Google Scholar 

  7. Bluetooth Special Interest Group: Specification of the bluetooth system v4.2. 0 (2014)

    Google Scholar 

  8. Bluetooth Special Interest Group: Specification of the bluetooth system v5.0. 0 (2016)

    Google Scholar 

  9. IEEE: Specification of the bluetooth system v1.0b. 1 (1999)

    Google Scholar 

  10. IEEE: Specification of the bluetooth system v1.1. 1 (2001)

    Google Scholar 

  11. Jager, T., Schwenk, J., Somorovsky, J.: Practical invalid curve attacks on TLS-ECDH. In: Computer Security – ESORICS 2015, vol. 1880, pp. 407–425 (2000)

    CrossRef  Google Scholar 

  12. Landrock, P., Kjaersgaard, J.U.: Protecting against security attack. US Patent 8077866 B2 (2013)

    Google Scholar 

  13. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)

    MathSciNet  CrossRef  Google Scholar 

  14. National Institute of Standards and Technology: Federal information processing standards publication 186-2 (2000)

    Google Scholar 

  15. Ossmann, M.: Project Ubertooth. http://ubertooth.sourceforge.net

  16. Ryan, M.: Crackle cracks BLE encryption. https://github.com/mikeryan/crackle

  17. Ryan, M.: With low energy comes low security. In: USENIX WOOT, p. 4 (2013)

    Google Scholar 

  18. Securing. Gattack. http://gattack.io

  19. Song, J.H., Poovendran, R., Lee, J., Iwata, T.: The AES-CMAC Algorithm (4493), pp. 1–20, June 2006

    Google Scholar 

  20. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Eli Biham or Lior Neumann .

Editor information

Editors and Affiliations

A Bluetooth Versions

A Bluetooth Versions

Bluetooth has several versions. Each new version introduces extended capabilities or a complete new set of sub-protocols.

The initial releases of Bluetooth, versions 1.0 and 1.0B [9], had many problems, and manufacturers had difficulty making their products interoperable. The manufacturers included a mandatory Bluetooth hardware device address (BD_ADDR) for transmission in the connecting process, which made anonymity impossible at the protocol level. This was a major setback for certain services planned for use in Bluetooth environments.

Bluetooth versions 1.1 [10] introduced major improvements over their predecessors and addressed many of the errors found in v1.0B. New features were added, among them: RSSI for measurement of the power present in a received radio signal, faster connection, faster discovery, adaptive frequency-hopping and higher transmission speeds.

Version 2.0 [4] was released in 2004. It introduced an even faster data transfer with throughput of up to 3 Mbit/s. The throughput enhancement was due to the use of GFSK and PSK modulation. This new method of modulation is called EDR, or Enhanced Data Rate, while the older modulation is called BR, or Basic Rate. When both of the modulations are implemented together it is called BR/EDR.

Version 2.1 of the protocol added secured pairing named Secure Simple Pairing (SSP) to support Man-in-the-Middle (MitM) protection using authenticated Diffie-Hellman during the pairing stage.

Bluetooth 3.0 [5] introduced the support for an alternative MAC/PHY (AMP). AMP is a new feature, allowing the use of an alternative data channel. While the negotiation and establishment are still performed similarly to former versions, the data flow uses an alternative MAC PHY 802.11 (typically associated with Wi-Fi). The 802.11 standard defines different protocols for the physical layer and for the link layer. It is characterized by a high transfer-rate and a relatively high signal range. After the connection is established the 802.11 link encapsulates the data packets of the BT established connection. The result is a much higher transfer rate of up to 24 Mbit/s. This new feature was intended to allow streaming over Bluetooth, whose throughput was still poor compared to other protocols.

Bluetooth Core Specification version 4.0 [6] introduced a new modulation mode and link layer packet format called Bluetooth Low Energy (BTLE). BTLE is intended for use in low power embedded devices. It was rapidly adopted by various consumer devices, such as smart phones, wearable technology, sports tracking devices and recently even health and medical equipment. BTLE PHY divides the RF spectrum into 40 channels, each of which is 2 MHz in width, from 2402 MHz to 2482MHz. Three of those 40 channels are labeled as advertising channels used for pairing and discovery packets. The rest are labeled as data channels, used for establishing connections and transmission of the data. The link layer was also redesigned and a new pairing protocol was added.

On December 2014, core specification 4.2 [7] was introduced, providing several new features to the BTLE protocol intended to make it the main protocol for the IoT (Internet of Things). These features include a new LE Secure Connections mode, as well as several security and privacy related features.

The latest version of Bluetooth, released on December 2016 was version 5.0 [8]. The new version added several performance features for Bluetooth Low Energy, most of them in the physical layer of the protocol. Among the new features were extended range, higher throughput and higher advertisement capacity.

In this paper we study the pairing protocols SSP used by Bluetooth BR/EDR and LE Secure Connections used by Bluetooth Low Energy. These are the only secure pairing protocols to date.

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Biham, E., Neumann, L. (2020). Breaking the Bluetooth Pairing – The Fixed Coordinate Invalid Curve Attack. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-38471-5_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-38470-8

  • Online ISBN: 978-3-030-38471-5

  • eBook Packages: Computer ScienceComputer Science (R0)