CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
Last updated
Overview
CAPEC-667 (Bluetooth Impersonation AttackS (BIAS)) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find disguise and target] The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.
- Knowledge of a trusted MAC address.
- Scanning for devices other than the target that may be trusted.
- Step 2Experiment
[Disguise] Using the MAC address of the device the adversary wants to impersonate, they may use a tool such as spooftooth or macchanger to spoof their Bluetooth address and attempt to authenticate with the target.
- Step 3Exploit
[Use device capabilities to accomplish goal] Finally, if authenticated successfully the adversary can perform tasks/information gathering dependent on the target's capabilities and connections.
What the attacker needs
Prerequisites
- Knowledge of a target device's list of trusted connections.
Skills required
- Low skill: Adversaries must be capable of using command line Linux tools.
- Low skill: Adversaries must be in close proximity to Bluetooth devices.
Consequences
What a successful CAPEC-667 attack can achieve.
Affects: Integrity
An adversary will be impersonating another Bluetooth device, and may gain access to information pertaining to that user along with the ability to manipulate other information.
Affects: Confidentiality
An adversary will have unauthorized access to information.
How to mitigate it
Defenses that reduce the risk of CAPEC-667.
- Disable Bluetooth in public places.
- Verify incoming Bluetooth connections; do not automatically trust.
- Change default PIN passwords and always use one when connecting.
Frequently asked questions
Common questions about CAPEC-667.
- What is CAPEC-667?
- An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
- How does a Bluetooth Impersonation AttackS (BIAS) attack work?
- It typically unfolds over 3 phases. It begins with: [Find disguise and target] The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.
- How do you prevent CAPEC-667?
- Disable Bluetooth in public places.
- What weaknesses does CAPEC-667 target?
- CAPEC-667 exploits 1 CWE weakness, including CWE-290 (Authentication Bypass by Spoofing).
- How severe is CAPEC-667?
- MITRE rates CAPEC-667 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-667
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.