A team of researchers from the Training and Research Center for Information Security and Safety (CERIAS) at Purdue University, recently discovered an error, which affects many IoT devices that use Bluetooth and can even lead to spoofing attacks. Bluetooth Low Energy (BLE) is the most widely used low power communication protocol for mobile and IoT devices. Consulting firm ABI estimates that sales of low-power Bluetooth (BLE) devices will triple by 2023, to more than 1,5 billion annual sales.
BLE devices rely on pairing, a critical process, to build "trust" between two devices the first time they are connected. After pairing, reconnections between BLE devices are often transparent to the user.
The error lies in the reconnection procedures for already paired BLE devices. And reconnections often occur in typical usage scenarios, according to Jianliang Wu, a PhD student at PurSec Lab at Purdue University and one of the project's lead researchers.
Bluetooth devices often move out of range and then return to an area while restoring a connection with devices that had already been paired. All this continues without user notification. Research focuses on this very process of reconnection. In particular, the researchers tried to look at the reconnection process for possible errors initially theoretically analyzed the reconnection process, carrying out the formal verification of the connection procedures proposed in the latest BLE specification.
The investigation revealed two critical ones BLE design weaknesses:
- For some BLE devices, authentication when reconnecting the device is optional and not mandatory.
- For other BLE devices, authentication may be bypassed if the user's device fails to force the IoT device to authenticate the transferred data.
After discovering design flaws in the BLE specification, the researchers analyzed key BLE stack applications, including BLE protocol stacks on Linux, Android, iOS and Windows, to see if the devices were vulnerable to security errors. Three of the devices tested were likely to be vulnerable, as they failed to ensure that the connected IoT device authenticated its data and accepted unauthorized data.
The researchers said that this error has a wide impact on major platforms that support BLE communications, including Linux, Android and iOS. They added that according to a recent study, more than 1 billion BLE devices do not use application-level security, which could provide a second line of defense. In addition, at least 8.000 Android BLE applications with approximately 2,5 billion installations read data from BLE devices in plaintext. Similar numbers may apply to applications iOS. The researchers concluded that this error could affect more than 1 billion BLE devices and more than 15.000 BLE applications. The researchers also reported the results of their research to Google and Apple who confirmed the error. The results of the research will be officially presented at the 14th USENIX Workshop on Offensive Technologies (WOOT 2020) to be held in August.
The researchers also said that intruders could carry out spoofing attacks and falsify the IoT device, falsify malicious data that corresponds to it, and send fake data to the user's device. In particular, design imperfections and errors allow invaders bypass authentication on BLE reconnections, which can lead to spoofing attacks on the user's devices. In addition, intruders can easily falsify all IoT device data that is not protected by application-level authentication.
This could have many consequences, according to the researchers. For example, malicious typing could be introduced in smartphone or on the desktop when reconnected to a BLE keyboard. In addition, a fake glucose level value can be injected into the smartphone while the user reads data from a BLE monitor that displays glucose levels. Fake fitness data can be retrieved by the user when reconnected to a fitness tracker.
To avoid potential spoofing attacks, both the BLE specification and current BLE stack implementations on Linux, Android, and iOS need to be updated to ensure the reconnection process. Finally, users need to install the latest firmware version to apply the required security patches and fix bugs. It is worth mentioning that Apple has already fixed the problem in iOS 13.4 and iPadOS 13.4.