Tamarin-Based Analysis of Bluetooth Uncovers Two Practical Pairing Confusion Attacks

Tamarin-Based Analysis of Bluetooth Uncovers Two Practical Pairing Confusion Attacks

연구 분야: Analysis

학회: European Symposium on Research in Computer Security

This paper provides a Tamarin-based formal analysis of all key-agreement protocols available in Bluetooth technologies, i.e., Bluetooth BR/EDR, Bluetooth Low Energy, and Bluetooth Mesh. The automated analysis found several unreported attacks, including two attacks that exploit the confusion of Pairing modes, which occurs when a communicating party uses the Secure Pairing mode while the other one uses the Legacy Pairing mode. They have been validated in practice using off-the-shelf implementations for the genuine communicating parties, and a custom BR/EDR machine-in-the-middle framework for the attacker. Our attacks have been reported by Bluetooth SIG as CVEs.