BLUFFS is an acronym for a new Bluetooth vulnerability that security researcher Daniele Antonioli disclosed recently. BLUFFS, which stands for Bluetooth Forward and Future Secrecy, is actually a set of six unique vulnerabilities. These vulnerabilities affect the majority of Bluetooth devices, as Bluetooth 4.2 to 5.4 implementations are affected.

Good news for most users is that it requires a specific setup for exploitation. Without going into too many details, for the attack to succeed, it is necessary that two vulnerable Bluetooth devices are in range of the attacker's device. Successful exploitation may lead to man-in-the-middle attacks and successful brute forcing of the encryption key.

A research paper, presentation and a toolkit are available on the researchers website. The attack was tested against 18 different Bluetooth chips and devices. Devices included several Apple iPhones, Google Pixel devices, laptops, Airpods and other devices that support Bluetooth.

Not all devices appear to be vulnerable to all of the six vulnerabilities, but all are affected by at least three of the six vulnerabilities.

The issue has been confirmed on the official Bluetooth website. It is listed under CVE-2023-24023. The article includes suggestions on fixing the issue. Manufacturers are advised to set the minimum encryption key length for encrypted sessions to 7 octets. The main idea here is that this gives the attacker to low of a window to successfully brute force the key. This makes attacks less worthwhile for attackers, even though it is not a complete protection against attacks that exploit the vulnerabilities.

The site makes other suggestions: "Implementations are advised to reject service-level connections on an encrypted baseband link with key strengths below 7 octets. For implementations capable of always using Security Mode 4 Level 4, implementations should reject service-level connections on an encrypted baseband link with a key strength below 16 octets. Having both devices operating in Secure Connections Only Mode will also ensure sufficient key strength".

Some manufacturers, Microsoft for instance, have patched the issues already. Microsoft did so as part of the November 2023 update for the Windows operating system.

Some users may disable Bluetooth on their devices to protect them from potential attacks, but this is not practicable in many cases. Bluetooth is for instance commonly used to pair wireless earbuds or headphones with mobile devices.

Now You: do you use Bluetooth?