It's called "Bluffs" like in poker, but it's not about the card game. It's a security flaw in the Bluetooth system, which threatens the privacy of billions of users of these technologies: smartphones, laptops, tablets, smartwatches, iPhones, iPads, Android, Macs and Windows to cars.
The flaw affects most devices manufactured from 2014 to the present and is independent of the supported Bluetooth version. Bluffs, which stands for "Bluetooth Forward and FutureSecrecy," has to do with security keys established to encrypt (protect) connections from a nearby attacker. The flaw was discovered by the Italian researcher Daniele Antonioli, originally from Pesaro, associate professor of computer security at Eurecom, a research center of French excellence of Sophia Antipolis.
"With Bluffs, an attacker is able to establish a weak key between two devices and then compromise it and force its use over time," he explains. Antonioli presented his work at the ACM Sigsac Conference on Computer and Communications Security (CCS '23), which took place in Copenhagen from 27 to 29 November.
The vulnerabilities discovered concern "two security properties called forward secrecy and future secrecy," the researcher adds. The first is supposed to protect our data, including sensitive data, exchanged in the past from an attack that compromises a secure connection in the present. The second should protect the data exchanged in future connections, when the present one is compromised. It's like being able to hack into an account that is password-protected and requires the password to be changed every month, forcing the victim to reuse the compromised password over time. It's the first research study on the forward and future secrecy of Bluetooth, and there could be more in the future." Antonioli in a post on his personal website released the toolkit to test the attacks, the research paper and the slides of the presentation made at the CCS conference. Bluffs is traceable to the worldwide vulnerability database as CVE-2023-24023. The Bluetooth Sig consortium has already published a security advisory about the flaw.
All rights reserved © Copyright ANSA