BlueMaster: Bypassing and Fixing Bluetooth-based Proximity Authentication


Bluetooth enabled devices can indirectly check the proximity of other connected devices, and this proximity check can be used as an authentication means. Thanks to the widespread use of Bluetooth, popular software vendors such as Google and Microsoft offer this device proximity authentication method in their operating systems, namely, Android and Windows 10. On one hand, Google"s Android supports a feature called Android Smart Lock, which allows a user to register “trusted” Bluetooth devices, and then utilize the presence of such trusted devices as an alternative to passcode. On the other hand, Microsoft Windows uses this proof-of-device-proximity in a reverse way. Windows 10 introduces Dynamic Lock, which automatically “locks” the device if any of the paired Smartphone moves away, to block access to the computer while the user is unattended. In this talk, we present the security pitfalls of Bluetooth-based proximity authentication. We analyzed implementations of Android Smart Lock and Windows Dynamic Lock and demonstrated new attacks on these implementations. Based on our analysis, we discovered three new attacks that allow attackers to bypass device proximity authentication. From Android Smart Lock, attackers may bypass a security check that prevents a basic MAC spoofing attack. From Windows Dynamic Lock, attackers may alter the MAC address and device class to spoof a paired smartphone, and it is also vulnerable to a proximity spoofing attack. Our analysis result shows that the vulnerabilities are originated from accepting untrusted data from Bluetooth for authentication. Additionally, regarding the proximity checking, it turned out that none of both is secure; Android ignores device proximity, and Windows is susceptible to signal amplification attack. Finally, we discuss potential countermeasures and inherent weaknesses of proximity checking in Bluetooth, as well as how to analyze the security of the Bluetooth-based device and proximity authentication method. Our countermeasure includes several ideas on how to accept only trusted data from Bluetooth for authentication methods. Furthermore, we will release a detection tool for the problems we found.

In Black Hat Europe 2019 Briefings
Yeongjin Jang
Yeongjin Jang
Principal Software Engineer

My research interests include cybersecurity/hacking, automated vulnerability discovery/analysis, secure system design, and applied cryptography.