With the unveiling of Bluetooth 5 in June 2016, the wireless packet standard appears to be evolving into a complex maze of overcomplicated specifications and features. Owing to the many junctions the Bluetooth standard faces, each fragmentation of the implementation creates more legacy features and packet types—all while remaining current with newly released standards.
Researchers at Armis Labs looked for ways to sidestep security standards. In doing so, they found an alarming implementation in the security management protocol (SMP) layer that allowed them to bypass standard PIN code exchanges seen in traditional Bluetooth pairings—particularly, the “just works” implementation of the “numeric comparison with automatic confirmation” key exchange mechanism on Android. Here, the mechanism was found to auto-accept the connection and bypass authentication entirely on the victim’s device.
Additionally, researchers found information leaks in the commonly used Linux Bluetooth stack (BlueZ), stack overflows in several locations of common Bluetooth drivers for Android, Linux, and Apple, buffer underflows in the BNEP control messages, and a method to MitM Windows machines from a vulnerable Bluetooth device.