- Aug 17, 2014
At the Black Hat USA 2020 virtual event on August 5, a new attack was added to the list of Bluetooth vulnerabilities, with the public disclosure of BlueRepli.
Security researchers Sourcell Xu and Xin Xin described the BlueRepli attack as a way to bypass Bluetooth authentication on Android phones, without detection. In a series of recorded demos, the researchers demonstrated how, with limited or no user interaction, they were able to abuse Bluetooth to steal a target device’s phone book as well as all of the SMS text messages it had received.
For reasons, not fully shared by the researchers, the BlueRepli attack does currently not work on Apple iOS devices. Additionally, the researchers noted that they had disclosed the issues to Google and the Android Open Source Project (AOSP), but according to them, to date the issue has not been patched.
At the core of the BlueRepli attack is an abuse of what are known as Bluetooth Profiles. Xu explained that Bluetooth Profiles detail specific application scenarios that can be used to enable connectivity. For example, there is the Phone Book Access Profile (PBAP) to enable access to a user’s phone book, while the Message Access Profile (MAP) provides access to text messages.
Xu noted that a Bluetooth vulnerability disclosed in 2019 dubbed “BadBlueTooth” also took advantage of Bluetooth Profiles. Although in that attack scenario, the victim needed to install a malicious app, whereas with BadRepli, nothing needs to be installed. Any Android device within Bluetooth range can potentially be at risk from the BadRepli attack.
To help demonstrate the attack and allow others to test, the researchers created a software project called BlueRepli Plus that is set to be demonstrated during the Black Hat Arsenal tools demonstration on August 6.