1

I am concerned with the MAC spoofing on a Bluetooth LE Device. Is it possible during only the bonding or would be possible in any step of the connection (pairing, bonding, scan, data exchange, etc...)

Nuñito Calzada
  • 4,394
  • 47
  • 174
  • 301
  • 1
    What is your concern? If you need security in your connection then you need to bond and exchange keys with your device. The initial bonding could be with a spoofed device, which is why there is typically an out of band token such as pairing pin displayed on one device – Paulw11 Jun 01 '15 at 22:11
  • Since not all the devices in the market supports full OOB bonding, I will not use it, but i want to prevent Man-in-the-middle attack – Nuñito Calzada Jun 02 '15 at 08:35
  • 2
    If you use 'just works' pairing then you can't prevent MITM - see http://en.wikipedia.org/wiki/Bluetooth#Pairing_and_bonding – Paulw11 Jun 02 '15 at 08:38
  • I will configure filtering: the LL controller maintains a “white list” of allowed devices and will ignore all requests for data exchange or advertising information from others – Nuñito Calzada Jun 02 '15 at 08:43
  • But the address can be spoofed as you say.... – Paulw11 Jun 02 '15 at 08:44
  • ok, so white list at the end is no so secure ? – Nuñito Calzada Jun 02 '15 at 08:45
  • 2
    Well, the address is sent from the device "in the clear", so an attacker can intercept that and spoof the device's address – Paulw11 Jun 02 '15 at 08:46

1 Answers1

4

Yes, it is achievable.

Mike Ryan from iSEC Partners used specific hardware to achieve injection, in his article Bluetooth: with low energy comes low security

From Ubertooth we send undirected advertising messages broadcasting the existence of a device with a user-specified MAC address.

And here is the presentation at Usenix WOOT'13 conference.

rclyde
  • 56
  • 7