A new security flaw discovered over the summer, affects billions of devices using the technology Bluetooth, such as smartphones, tablets, laptops and IoT devices. The defect is known as BLESA (Bluetooth Low Energy Spoofing Attack) and affects those Appliances use the Bluetooth Low Energy (BLE) protocol.
The protocol CORN is a lighter version of the original Bluetooth (Classic) standard, which is designed to save battery, while maintaining Bluetooth connections for as long as possible. BLE has been adopted on a large scale in the last decade and is found in the majority of battery-powered devices, due to the energy savings it offers.
A team of seven academics from the University of Purdue has begun researching a part of the BLE protocol that plays a key role in day-to-day operations, but has rarely been analyzed for safety issues.
The research focused on the "reconnection" process, a function that takes place after two BLE devices have certified each other during pairing.
Reconnections occur when Bluetooth devices move out of range and then return to the area later. Normally, when reconnecting, the two BLE devices will need to check each other's cryptographic keys to reconnect and continue exchanging data via BLE.
However, as the Purdue research team found, the BLE protocol contained two systemic issues that have been identified in BLE software applications:
- Authentication when reconnecting the device is optional and not mandatory.
- Authentication may be bypassed if the user's device does not require the IoT device to authenticate the reported data.
These two issues allow a BLESA attack to take place. A nearby intruder bypasses reconnection verifications and sends fake data on a BLE device with incorrect information and motivates operators and automated processes to make wrong decisions.
Purdue researchers said they analyzed many software stacks that have been used to support BLE communications on various operating systems.
The researchers found that BlueZ (on Linux-based IoT devices), Fluoride (Android) and iOS BLE were all vulnerable to BLESA attacks, while BLE on devices Windows it was safe.
Regarding IoT devices based on Linux, the BlueZ development team said it would remove the code section that makes devices vulnerable to BLESA attacks and instead use code that implements proper reconnection procedures.
The downside is that repairing all vulnerable devices will be extremely difficult for system administrators, and repairing some devices may not even be an option.
A piece of equipment and production with limited resources sold in the last decade, is not accompanied by a built-in information mechanism, which means that these devices will be exposed to attack.
Intruders can use bugs denial-of-Service to take the devices offline and enable a reconnection function on demand and then perform a BLESA attack. It is impossible to protect BLE devices from disconnections and signal drops.
Based on previous BLE usage statistics, the research team estimates that the number of devices using vulnerable BLE software stacks is in the billions. At the moment all those who use devices with this software can do is wait for the relevant updates to be released.