Send email Copy Email Address
Annabelle Theobald

Does Bluetooth need more cybersecurity?

The answer is yes. CISPA faculty Nils Ole Tippenhauer explains how secure wireless connections are and why IT security research must be given a higher priority.

Nowadays, many headphones are connected to smartphones via Bluetooth, printers are linked to PCs using this technology, and cell phones are networked with car radios. Developed at the end of the 1990s, this wireless technology is now replacing USB, network, and audio cables in many places for connecting devices over short distances. That the Bluetooth protocol contained a serious security vulnerability for many years was discovered in 2019 by CISPA faculty Dr. Nils Ole Tippenhauer, Eurecom researcher Daniel Antonioli, and Kasper Rasmussen of the University of Oxford. Tippenhauer explains the state of Bluetooth security today and why users don't need to be too afraid of an attack. The Hamburg native also tells us what else he is researching.

For almost 20 years, there was a huge security gap in the Bluetooth standard. In theory, it has been fixed for quite a while now, but in practice, it will probably still be present on many devices purchased before 2019 due to a lack of appropriate updates, Tippenhauer suspects. He has been a senior scientist at CISPA since 2018, and his research focuses primarily on the security of wireless communications and industrial equipment and location services. In 2019, together with Daniel Antonioli and Kasper Rasmussen, he discovered a vulnerability in the Bluetooth specification that enabled attackers to use a so-called KNOB attack to manipulate Bluetooth devices in such a way that they only weakly secure the key required for pairing. Attackers were thus able to hack the connection and access sensitive data utilizing a brute-force attack, i.e., by simply trying out possible keys. Almost all Bluetooth devices were affected by the vulnerability. However, only Bluetooth Basic Rate and Enhanced Data Rate (BR/EDR) connections were vulnerable, not Bluetooth Low Energy (BLE).

The KNOB attack -KNOB stands for Key Negotiation Of Bluetooth- had a spectacular impact on the security community and motivated researchers to delve even deeper into the topic. Together with Mathias Payer of the HexHive group at École Polytechnique Fédérale de Lausanne (EPFL), Tippenhauer, Antonioli and Rasmussen discovered another serious Bluetooth vulnerability in 2020, called BLURtooth, which primarily affects newer Bluetooth-enabled devices. These are usually capable of communicating via both Bluetooth Classic (BT) and BLE. The two data transmission channels are not compatible per se but use similar security mechanisms. The introduction of a security mechanism called Cross-Transport Key Derivation (CTKD) should increase usability by allowing two devices to be paired only once, rather than separately for each to exchange data over BT and BLE. However, this function, which is useful in itself, can be exploited by attackers to interfere with the key allocation. For example, an attacking device can impersonate one already paired with the victim's device in the past. In this way, all security mechanisms can be easily bypassed, and sensitive data can be captured. The researchers were able to develop several similar attack scenarios that exploit this vulnerability.

The first software patches are now available. However, Tippenhauer says the proof that the devices are truly secure has yet to be provided. "End users need not worry too much, however. Such attacks require strong attackers who must be on-site and have high technical skills," explains Tippenhauer. "But it shows once again that we need to place greater emphasis on security and that security researchers should be more involved in the development of such standards." 

For the CISPA researcher, the fact that it is urgently time for a change in mentality is also evident in his second key topic, the security of industrial facilities. He said attacks on control systems are usually relatively primitive and often run with simple ransomware from the Internet. "From an academic point of view, such attacks are rather uninteresting, as they can generally be prevented by applying best practices such as consistent patching of equipment. I, therefore, tend to deal with attacks that come from state or semi-state actors. For example, on industrial facilities of foreign countries, which should not be detected immediately."

In recent years, Tippenhauer has focused primarily on the ecosystem of these facilities, with questions like: How are the plants digitally controlled? Which devices and which protocols are used? Where are problems with the protocols or their use? Many products and protocols came from the engineering world and were developed in parallel with IT for a long time. An understanding of the importance of cybersecurity emerging only slowly in the industry, he said. "There are enough other problems in this area. First and foremost, of course, keeping plants running and efficient. Engineers have a strong culture of 'safety.' They have developed many measures to predict and tolerate random failures. So there is a lot of operating with probabilities here. These measures are also intended to protect against attacks. Attackers, however, specifically produce the most inappropriate errors and exploit the confusion they create." Therefore, researchers are trying to bring the views of computer scientists and engineers more closely together, he said.

Nils Ole Tippenhauer earned his PhD in 2012 from ETH in Zurich. Before coming to CISPA, he was an assistant professor at the Singapore University of Technology and Design (SUTD) for four years. He thoroughly enjoyed his time there: "It was an intense time and allowed me to learn a lot about Asian culture and mentality in one of the most modern countries in the world."

Translated by Oliver Schedler