Purdue University experts warn billions of smartphones, tablets, laptops and IoT devices using Bluetooth Low Energy (BLE) are vulnerable to new attack BLESA (Bluetooth Low Energy Spoofing Attack).
Let me remind you that BLE is a "lightweight" version of the Bluetooth standard, designed to save battery power when Bluetooth connections are active. Thanks to its improved energy efficiency, BLE has become widespread and used in almost all battery-powered devices.
The vast majority of the problems previously identified in BLE were found in the pairing mechanism, but the researchers practically ignored other parts of the protocol. This was resolved by a team of seven experts from Purdue University, who set themselves the task of studying other aspects of BLE. In particular, the researchers' work has centered around the "reconnection" process.
This operation is performed after two BLE devices (client and server) have authenticated each other during pairing. Reconnection occurs when devices go out of range and then return to BLE coverage. When reconnecting, the devices must re-validate each other's cryptographic keys previously negotiated during pairing, reconnect to each other, and continue to exchange data.
The research team found that the BLE specification describes the reconnection process in a very vague way, and as a result, when reconnection is implemented in different BLE implementations, two systemic problems arise in the supply chain:
- often, authentication during device reconnection is optional;
- authentication can be bypassed if the user's device fails to force the IoT device to authenticate the transmitted data.
As a result, these problems open up the opportunity for a BLESA attack, during which a nearby attacker bypasses reconnection checks and transmits fake data to a BLE device, forcing people and automation to make erroneous decisions. A simple demo of BLESA in action can be seen below.
Scientists note that BLESA poses a threat not to all BLE implementations. For example, BlueZ (used by Linux-based IoT devices), Fluoride (Android), and iOS BLE were found vulnerable. But BLE on Windows devices turned out to be unaffected by the problem.
“As of June 2020, Apple has recognized the issue as a vulnerability (CVE-2020-9770) and has already eliminated her… The Android BLE implementation on our test device (Google Pixel XL running Android 10) is still vulnerable, "the researchers write.
In turn, the BlueZ developers have already promised that they will revise their code and make reconnections invulnerable to BLESA.
Unfortunately, experts predict that fixing the BLESA problem will be a real headache for system administrators. The fact is that many IoT devices sold over the past decade simply do not have built-in update mechanisms, which means that these devices will remain without patches.
In addition, usually protection against Bluetooth attacks means that the pairing of devices must be carried out in a controlled environment. However, protecting against BLESA is a more difficult task, since the attack targets the reconnect operation. For example, attackers can provoke a denial of service in order to forcibly terminate a Bluetooth connection, and then re-connect and execute an attack.