Event
13:50
-
14:30
Day 3
Auracast: Breaking Broadcast LE Audio Before It Hits the Shelves
Recorded
Security
Auracast, the new Bluetooth LE Broadcast Audio feature has gained some publicity in the last few months. The Bluetooth SIG has been working on the specification of this feature set in the past few years and vendors are only now starting to implement it. Auracast enables broadcasting audio to multiple devices. These broadcasts can also be encrypted. Unfortunately, the security properties of the protocol are vague and insufficient. It has already been shown that these broadcasts can be hijacked by anyone when unencrypted. We explain the state of (in)security of the protocol and add to it by showing that even when encrypted, broadcasts can often be cracked easily. We also show that once equipped with the passcode, attackers can eavesdrop and hijack even encrypted broadcasts. Alongside the talk, we will release our toolkit to brute-force authentication codes, decrypt dumped Auracast streams, and hijack encrypted broadcasts.

Bluetooth Auracast is a marketing term for a subset of the new "LE Audio" features introduced in the Bluetooth 5.2 specification. LE Audio is designed to provide better sound quality, longer battery life and new capabilities for audio devices like headphones, earbuds and especially hearing aids. Essentially, Auracast is an audio broadcast feature set for Bluetooth Low Energy. Our talk will focus on the new features introduced in the core spec, namely Broadcast Isochronous streams (BIS).

The protocol specification for Auracast was released several years ago, and vendors are only now beginning to implement application-level support for it. Previous research from 2023 (the "BISON" paper) has already shown that unencrypted Auracast broadcasts can be hijacked.

The Bluetooth specification is very vague in what security goals it tries to achieve for (encrypted) broadcasts. The core building block for LE Audio broadcasts are Broadcast Isochronous Streams (BIS). Security for BIS is only ever mentioned in terms of confidentiality, which is supposedly achievable by encrypting a BIS. In this talk we'll shed some light on the security properties of Auracast and show that authenticity and confidentiality can be violated, even when broadcasts are encrypted.

To examine whether the vague specification and the bad examples lead to real-world issues, we have surveyed several implementations of Auracast. We found that on popular devices the default configuration is weak and allows breaking the authenticity and confidentiality of the Auracast broadcast.

Alongside the talk, we will release a toolkit that allows to dump, decrypt and hijack encrypted Auracast broadcasts.