Experts from Purdue University have warned that billions of smartphones, tablets, laptops and other devices using Bluetooth Low Energy (BLE) are vulnerable to a new BLESA (Bluetooth Low Energy Spoofing Attack) attack.
Let me remind you that BLE is a “lightweight” version of the Bluetooth standard, designed to save battery power when Bluetooth connections are active. Thanks to its improved energy efficiency, BLE has become widespread and used in almost all battery-powered devices.The vast majority of the problems previously identified in BLE were found in the pairing mechanism, but researchers practically ignored other parts of the protocol. This was resolved by a team of seven experts from Purdue University, who set themselves the task of studying other aspects of BLE. In particular, the researchers’ work has centered around the “reconnection” process.
This operation is performed after two BLE devices (client and server) have authenticated each other during pairing.
Reconnection occurs when the devices go out of range and then return to BLE coverage. When reconnecting, the devices must re-validate each other’s cryptographic keys previously negotiated during pairing, reconnect to each other, and continue to exchange data”, — experts say.
The research team found that the BLE specification describes the reconnection process in a very vague way, and as a result, when reconnection is implemented in different BLE implementations, two systemic problems arise in the supply chain:
- Authentication is often unnecessary when the device is reconnected;
- Authentication can be bypassed if the user’s device fails to force the IoT device to authenticate the transmitted data.
As a result, these problems open up the opportunity for a BLESA attack, during which a nearby attacker bypasses reconnection checks and transmits fake data to a BLE device, forcing people and automation to make erroneous decisions. A simple demo of BLESA in action can be seen below.
Scientists note that BLESA poses a threat not to all BLE implementations. Thus, BlueZ (used by Linux-based IoT devices), Fluoride (Android), and iOS BLE were found vulnerable. However, BLE on Windows devices turned out to be unaffected by the problem.
By June 2020, Apple has recognized the issue as a vulnerability (CVE-2020-9770) and has already fixed it. The Android BLE implementation on our test device (Google Pixel XL running Android 10) is still vulnerable”, — write the researchers.
In turn, the BlueZ developers have already promised that they will revise their code and make reconnections invulnerable to BLESA.
Unfortunately, experts predict that fixing the BLESA problem will be a real headache for system administrators. The fact is that many IoT devices sold over the past decade simply do not have built-in update mechanisms, which means that these devices will remain without patches.
In addition, usually protection against Bluetooth attacks means that the pairing of devices must be carried out in a controlled environment. However, protecting against BLESA is a more difficult task, since the attack targets the reconnect operation. For example, attackers can provoke a denial of service in order to forcibly terminate a Bluetooth connection, and then re-connect and execute an attack.
Let me remind you that recently HowToFix talked about BLURtooth vulnerability, which poses a threat to all devices using Bluetooth.