Potential hackers can use BlueRepli Bluetooth attack to steal confidential information from your Android smartphones/tablets
Security researchers have discovered a new way to exploit the Bluetooth connectivity in Android devices which can be used to steal victim’s contact information, text messages, call logs, etc. Security researchers from DBAPPSecurity, Sourcell Xu and Xin Xin found a new way to exploit the Bluetooth connectivity to Android smartphones and tablets and access the Phone Book Access Profile (PBAP) to enable access to a user’s phone book, while the Message Access Profile (MAP) provides access to text messages. They are calling the new method BlueRepli Bluetooth attack.
Just like the “BadBlueTooth” vulnerability discovered in 2019, BlueRepli takes advantage of Bluetooth Profiles. To exploit the BadBlueTooth vulnerability, the potential threat actor needed the victim to download and install a malicious App but in the case of BlueRepli, the threat actor doesn’t need any such installation. BlueRepli Bluetooth attack makes it possible for the potential hacker to target any Android device within Bluetooth range.
How does BlueRepli Bluetooth attack work?
Normally a Bluetooth pairing takes place when the user gets a YES/NO message on his/her Android smartphone to either enable or disable pairing. Some Android smartphones get a pairing code that needs to be input for enabling connection. However, there is a third pairing version called ‘Just Works’
Just Works is the default pairing method for most BLE networks. In BLE Legacy connections, the Temporary Key value that devices exchange during the second phase of pairing is set to 0, and devices generate the Short Term Key-value based on that. Just Works pairing is defined in the Bluetooth specification and is considered very insecure. Xu of DBAPPSecurity says that it was possible to bypass the authentication in several ways including making use of the just works option.
In a demonstration at the virtual Black Hat Conference, Xu explained that potential hackers could mount a deception-based attack to get the victim’s Bluetooth address by simple scanning. To do that, the hacker could pretend to be a Bluetooth device and a well-known App like Skype. When the hacker makes a Bluetooth connection through Gmail, he could send requests to the victim’s Android phone for a phone book, call logs, or short messages. As the attack vector is Skype, it is more likely than not that the victim will give access to enable Bluetooth connection. This will allow the potential hacker to steal all kinds of data from the Android smartphone.
The other attack that Xu described is a vulnerability-based attack where the attacker first obtains two Bluetooth device addresses by scanning. The first address is the victim’s Bluetooth address, while the second is an address that has obtained the access permission of the victim, like Bluetooth headsets that belong to the victim. The attacker changes his address to the second address, and then directly requests data (phone book and SMS) from the victim. In this case, Xu says that any potential hacker can access call logs, contact information, and short messages without user interaction or consent.
Xu and his colleague from DBAPPSecurity will demonstrate the BlueRepli Bluetooth attack at the Black Hat conference today. Xu and Xin have also created a tool, BlueRepli Plus which exploits this vulnerability. BlueRepli Plus will be demonstrated during the Black Hat Arsenal tools demonstration today.
Strangely the BlueRepli Bluetooth attack only works on Android smartphones and tablets. Apple’s iOS and iPadOS are not vulnerable to this issue. Xu stated that they have disclosed the BlueRepli vulnerability to Google and the Android Open Source Project (AOSP), but no patch is forthcoming. According to them almost all Android smartphones and tablets are vulnerable to BlueRepli Bluetooth attack.