Happy MitM: Fun and Toys in Every Bluetooth Device
This addresses a critical security gap for Bluetooth users, exposing a widespread non-compliance that undermines protection against attacks.
The paper found that major Bluetooth stacks fail to warn users about potential Machine-in-the-Middle attacks during pairing, violating the specification and leaving users vulnerable to security issues.
Bluetooth pairing establishes trust on first use between two devices by creating a shared key. Similar to certificate warnings in TLS, the Bluetooth specification requires warning users upon issues with this key, because this can indicate ongoing Machine-in-the-Middle (MitM) attacks. This paper uncovers that none of the major Bluetooth stacks warns users, which violates the specification. Clear warnings would protect users from recently published and potential future security issues in Bluetooth authentication and encryption.