BLERP : BLE Re-pairing attacks and defenses

Bluetooth Low Energy (BLE) is a ubiquitous wireless technology used by billions of devices to exchange sensitive data. As defined in the Bluetooth Core Specification v6.1, BLE security relies on two primary protocols: pairing, which establishes a long-term key, and session establishment, which encrypts communications using a fresh session key. While the standard permits paired devices to re-pair to negotiate a new security level, the security implications of this mechanism remain unexplored, despite the associated risks of device impersonation and Machinein-the-Middle (MitM) attacks. We analyze BLE re-pairing as defined in the standard v6.1 and identify six design vulnerabilities, including four novel ones, such as unauthenticated re-pairing and security level downgrade. These vulnerabilities are design flaws and affect any standardcompliant BLE device that uses pairing, regardless of its Bluetooth version or security level. We also present four new repairing attacks exploiting these vulnerabilities, which we call BLERP. The attacks enable impersonation and MitM of paired devices with minimal or no user interaction (1-click or 0-click). Our attacks are the first to target BLE re-pairing, exploit the interplay between BLE pairing and session establishment, and abuse the SMP security request message. Daniele Antonioli EURECOM daniele.antonioli@eurecom.fr Legitimate Devices Alice (Central) Charlie as Alice Alice Alice establish session Central Impersonation re-pair Peripheral Impersonation Bob (Periph.) Bob abort session, re-pair Single-Channel MitM Charlie Double-Channel MitM Alice Charlie We develop a novel toolkit that implements our attacks and supports testing of BLE pairing, including end-to-end MitM attacks. Reproducing the toolkit only requires low-cost hardware (nRF52) and open-source software (Mynewt, NimBLE, and Scapy). Our large-scale evaluation demonstrates the attacks’ impact across 22 targets, including 15 BLE Hosts, 12 BLE Controllers, Bluetooth versions up to 5.4, and the most secure configurations (SC, SCO, and authenticated pairing). During our experiments, we also discovered implementation re-pairing flaws affecting the Apple, Android, and NimBLE BLE stacks. Charlie as Bob Bob Bob Fig. 1: BLERP attacks. Alice and Bob are legitimately paired over BLE. Charlie can impersonate either of them, perform a single-channel Man-in-the-Middle (MitM) to compromise the new key, or a double-channel MitM, to establish new separate keys with Alice and Bob. We implement and evaluate two complementary mitigations: a backward-compatible hardening of the re-pairing logic that is immediately deployable by vendors, and an authenticated re-pairing protocol that addresses the attacks by design. We empirically validate the effectiveness of hardened re-pairing and formally model and verify authenticated re-pairing using ProVerif.