BlueBump

Apr 2005

1 min read

bluetooth classic security vulnerability bypass

The BlueBump attack is the Bluetooth equivalent to a very cool physical security thread called key bumping. When used correctly, an appropriate bump key can be used to open any lock in seconds. Since the BlueBump attack is also about keys (link keys in this case) we named this attack after this amazing technique.

Method

The BlueBump attack requires the attacker to be a social engineer. The way it works is that the attacker establishes a trusted connection to a certain device. This could be achieved by sending a business card and forcing the receiver to authenticate (Mode-3-Abuse). The attacker keeps the connection open and tells the victim to delete the link key for the attacker’s device. The victim is not aware of the connection that is still active. The attacker now requests a link-key regeneration. Doing so, the attacker’s device gets a new entry in the list without having to authenticate again. The attacker is then able to connect to the device at any time as long as the key is not deleted again.

People Involved

For questions about the BlueBump attack, feel free to ask Adam Laurie, Marcel Holtmann or Martin Herfurt.

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.

Adam Laurie is Chief Security Officer and a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties.

Marcel Holtmann is the maintainer and the core developer of the official Linux Bluetooth stack which is called BlueZ. He started working with the Bluetooth technology back in 2001. His work includes new hardware drivers, upper layer protocol implementations and the integration of Bluetooth into other subsystems of the Linux kernel.