Credit: Google/Creative Commons
LAS VEGAS — Many smartphones and tablets running Android 5.0 Lollipop can be unlocked by strangers, two Italian researchers told attendees of the DEF CON 23 hacker conference here last weekend.
Matteo Beccaro and Matteo Collura, both students at the Polytechnic University of Turin, said this was possible because a feature called Bluetooth Unlock was introduced with Android 5.0 Lollipop — and Bluetooth connections were not properly validated until the release of Android 5.1 Lollipop.
That means devices running the older version of Lollipop — currently about 15 percent of all Android devices known to Google — with Bluetooth Unlock enabled could be unlocked by thieves.
If any Android device running 4.1-4.3 Jelly Bean or 4.4 KitKat — about 75 percent of Google-registered devices — gets updated to the older Lollipop instead of the newer Lollipop, it may be vulnerable too.
Bluetooth Unlock, a recent addition to the older feature called Smart Lock, keeps the screen of a smartphone or tablet unlocked whenever it's near a user-designated "Trusted Device," such as a smartwatch, computer or vehicle infotainment system. Basically, it lets you keep the screen unlocked when you're in your car or at home.
But when it unveiled Bluetooth Unlock in November 2014, Google didn't check to see whether Android properly verified each Bluetooth connection.
It turned out there was a loophole. Austrian researcher Martin Herfurt found that one Bluetooth device can "query" another using an unencrypted connection.
If an Android phone with Bluetooth Unlock is "queried" by another device that pretends to be one of the Android phone's Trusted Devices, the phone's screen will unlock for a few seconds — long enough for a thief to perform a factory reset.
Herfurt privately told Google of this flaw in January 2015, and Google fixed it at the end of April by forcing proper verification — at least for devices that run Android 5.1. Right now, less than 3 percent of Android devices do.
We don't need no stinkin' Bluetooth address
Herfurt's technique required the "sniffing" of both devices' six-byte Bluetooth identification numbers as the devices talked to each other. Beccaro and Collura came up with a better method that doesn't require capturing a Trusted Devices's ID.
Instead, they figured out they could guess the ID — because the device running Bluetooth Unlock would tell them most of what they needed to know.
Turn on Bluetooth and Wi-Fi on an Android smartphone, go to Settings > About Phone > Status, and you'll see listings for "Wi-FI MAC address" and "Bluetooth address," which both look something like "0b:d5:4e:67:2f:ab."
That's actually a very long number, and "a" through "f" are digits representing 10 through 15. Each pair of characters separated by colons is a byte that can range in value from zero ("00") to 255 ("ff").
Bluetooth Unlock, Beccaro and Collura said, identifies each Trusted Device by the last four bytes of its Bluetooth address — in the example above, "4e:67:2f:ab." To guess a number that long, you'd have to try 4.3 billion possibilities.
However, when a Bluetooth chip turns on, it broadcasts a "beacon" containing the last three bytes — e.g., "67:2f:ab" — of the Bluetooth address of every device with which it's ever been paired, just to see if any of those devices are around and can respond. And because a Trusted Device has to be a paired device, every Trusted Device will be on that list.
So, as Beccaro and Collura showed, if you already have three bytes of the necessary four, you can "brute-force" all 256 possibilities for the fourth byte. In other words, if you already have "67:2f:ab" as broadcast by the beacon, you can quickly try every combination from "00" to "ff" until you hit "4e."
A computer or smartphone could swiftly run down the entire list of paired devices transmitted by the target phone, pinging the phone with spoofed partial four-byte Bluetooth addresses. If the target phone has Bluetooth Unlock enabled, and it hasn't yet been updated to Android 5.1, then — bingo! — its screen will unlock.
To prove their exploit worked, Beccaro and Collura demonstrated it on-stage, using a laptop running a hacker-friendly version of Linux against a smartphone. It took less than a second to unlock the phone's screen.
More safety for slightly less convenience
To make sure your phone isn't unlocked by a sinister stranger sitting on the other side of the Starbucks, don't turn on Bluetooth Unlock. The switch is at Settings > Lock screen > Screen lock > Smart Lock > Trusted Devices.
Beccaro and Collura said that even devices running 5.1 Lollipop aren't out of the woods. Their Bluetooth Unlock exploit won't work on those devices, but similar exploits involving third-party apps that use Bluetooth still might.
The pair plan further research to see if similar Bluetooth authentication woes affect smart locks, fitness bands and other Internet of Things devices.