Abstract
Secure Simple Pairing (SSP) and Link Manager Protocol (LMP) authentication are two main authentication mechanisms in Bluetooth specification. In this paper, we present two novel attacks, called link key extraction and page blocking attacks, breaking LMP authentication and SSP authentication, respectively. Link key extraction attack allows attackers to extract link keys of Bluetooth devices generated during the SSP procedure by exploiting Bluetooth HCI dump. Page blocking attacks by man-in-the-middle (MITM) attackers enforce Blue-tooth connections, enabling subsequent SSP downgrade attacks to bypass the SSP authentication challenge. In order to demonstrate the efficacy, we implement our attacks on various real-world devices and show that (1) a target link key is dumped into a log and extracted efficiently, possibly leading to the subsequent impersonation attack, and (2) malicious MITM connections can be established with 100% success rate, enabling subsequent SSP downgrade attack. We investigate the root causes for the vulnerabilities and present mitigations.