BlueMaster: Bypassing and Fixing Bluetooth-based Proximity Authentication

Conference:  BlackHat EU 2019



The presentation discusses the vulnerabilities of dynamic log and Plutospacial proximity authentication and proposes a method to analyze and verify the security of authentication.
  • Dynamic log is a convenient feature but has vulnerabilities that can be exploited by attackers.
  • Plutospacial proximity authentication can also be insecure if not properly implemented.
  • The proposed method involves analyzing and verifying the Lotus properties used and applying a state-based analysis to ensure authentication is not regarded by untrusted properties.
  • A tool called Vaughn Oliver T station was developed to guide users in verifying Bluetooth basic proximity authentication.
  • Developers should be cautious when using dynamic log and prioritize security over convenience.
The presentation demonstrated how an attacker can exploit the vulnerabilities of dynamic log by modifying the class of device to make the surface recognize the attacker's phone as a SmartWatch, allowing the attacker to bypass the lock feature. The presenter also emphasized the importance of verifying the security of authentication and not trusting anything before verification.


Bluetooth enabled devices can indirectly check the proximity of other connected devices, and this proximity check can be used as an authentication means. Thanks to the widespread use of Bluetooth, popular software vendors such as Google and Microsoft offer this device proximity authentication method in their operating systems, namely, Android and Windows 10. On one hand, Google's Android supports a feature called Android Smart Lock, which allows a user to register 'trusted' Bluetooth devices, and then utilize the presence of such trusted devices as an alternative to passcode. On the other hand, Microsoft Windows uses this proof-of-device-proximity in a reverse way. Windows 10 introduces Dynamic Lock, which automatically 'locks' the device if any of the paired Smartphone moves away, to block access to the computer while the user is unattended.In this talk, we present the security pitfalls of Bluetooth-based proximity authentication. We analyzed implementations of Android Smart Lock and Windows Dynamic Lock and demonstrated new attacks on these implementations. Based on our analysis, we discovered three new attacks that allow attackers to bypass device proximity authentication. From Android Smart Lock, attackers may bypass a security check that prevents a basic MAC spoofing attack. From Windows Dynamic Lock, attackers may alter the MAC address and device class to spoof a paired smartphone, and it is also vulnerable to a proximity spoofing attack.Our analysis result shows that the vulnerabilities are originated from accepting untrusted data from Bluetooth for authentication. Additionally, regarding the proximity checking, it turned out that none of both is secure; Android ignores device proximity, and Windows is susceptible to signal amplification attack.Finally, we discuss potential countermeasures and inherent weaknesses of proximity checking in Bluetooth, as well as how to analyze the security of the Bluetooth-based device and proximity authentication method. Our countermeasure includes several ideas on how to accept only trusted data from Bluetooth for authentication methods. Furthermore, we will release a detection tool for the problems we found.