In June 2024, a security issue was discovered in the Linux kernel's Bluetooth subsystem (bluez), specifically affecting the “Just Works” pairing method for BR/EDR (Basic Rate/Enhanced Data Rate) Bluetooth connections. This issue, now tracked as CVE-2024-53144, indicated that user confirmation was not always explicitly requested during Bluetooth pairing — potentially enabling *unauthorized* pairing attempts, especially when coupled with social engineering or physical proximity threats.
The fix aligns the behavior for BR/EDR with the existing (and more secure) practice for LE (Low Energy) Bluetooth connections, ensuring that all “Just Works” pair operations require explicit user confirmation.
Let’s break down what happened, why it mattered, and how it was fixed—complete with code snippets, exploitation details, and references.
What is “Just Works” Pairing?
The Just Works method is a user-friendly Bluetooth pairing protocol that simplifies user experience by suppressing complicated authentication. Devices using this technique exchange encryption keys with minimal or no user interaction. However, this convenience can come at the cost of security, as it becomes especially susceptible to Man-in-the-Middle (MitM) attacks.
Technical Summary
A weakness in the Bluetooth Linux kernel driver meant that, for some legacy connections (BR/EDR), the “Just Works” flow did not always prompt the user to confirm pairing, unlike more secure LE connections. BlueZ’s management layer or external applications like bluetoothd depend on this user confirmation for enforcing pairing policies (e.g., through main.conf:JustWorksRepairing).
This inconsistency allowed attackers within range to attempt unauthorized pairing, potentially gaining access to device services, personal data, or the ability to send/receive data.
Other CVE for Reference: While the public Linux Kernel commit refers to CVE-2024-8805, multiple trackers like oss-security and NIST are referencing this under CVE-2024-53144 due to overlapping impact.
The Vulnerable Code
The core of the problem was that BR/EDR “Just Works” events would silently complete pairing, unless further checks were implemented by third-party tools.
Vulnerable Snippet (Pre-Fix)
if (method == JUST_WORKS && !confirm_hint) {
// pairing proceeds automatically, no user confirmation required
}
Here's how the fix aligns the pairing logic
if (method == JUST_WORKS) {
confirm_hint = 1; // Always prompt for user confirmation
}
Reference commit:
bluetooth: hci_event: Align BR/EDR JUST_WORKS pairing with LE
Exploitation Steps
1. Attacker in Proximity: To exploit the issue, an attacker needs to be within Bluetooth range (typically ~10m).
2. Initiate Pairing: The attacker initiates a “Just Works” pairing request to the vulnerable device.
3. No Prompt: Due to the bug, the device does not prompt the legitimate user for confirmation, immediately accepting the pairing.
4. Gain Access: Depending on the system, the attacker could browse files, access network services, or use paired device features.
Real-World Impact Example
Think of a public space with crowded Bluetooth devices—if your laptop or phone is running an unpatched Linux kernel and accepts “Just Works” pairing requests *without confirmation*, a nearby attacker could silently pair, access shared files, or, in the worst case, inject malicious payloads if further services are exposed.
How to Fix
- Upgrade your kernel to one containing the fix (6.11-rc1 or later).
- Check your distribution’s security advisories
- Debian Security Tracker
- Red Hat CVE DB
- Ubuntu CVE Tracker
References and Further Reading
- Linux kernel patch: Align BR/EDR JUST_WORKS pairing with LE
- oss-security: Initial report and discussion
- NIST NVD CVE-2024-53144 entry
- Bluez main.conf documentation
Conclusion
CVE-2024-53144 highlights how “convenience” in Bluetooth pairing can undermine system security if not carefully managed. The quick fix in Linux brings both BREDR and LE connections to the same security level, requiring user interaction for all “Just Works” pairings. It’s a reminder: *always keep your OS updated, especially for critical subsystems like Bluetooth*.
Patch now to stay safe.
*This writeup is exclusive and simplifies the technicalities for broader comprehension. For detailed kernel audits, refer to the referenced commit and advisories above.*
Timeline
Published on: 12/17/2024 16:15:25 UTC
Last modified on: 05/04/2025 13:00:37 UTC