The security of billions of devices equipped with a Bluetooth LE module is jeopardized by a serious flaw recently discovered by security researchers at Purdue University. It is called BLESA (Bluetooth Low Energy Spoofing Attack) and concerns smartphones, tablets, laptops and IoT devices equipped with a low consumption Bluetooth interface.
The research project's work focuses in particular on the reconnection process, i.e. the operation between two Bluetooth LE devices – a client and a server – after initial pairing. Reconnection occurs when the devices, after exceeding the range of the Bluetooth interface, come back to get close. In this phase, the two Bluetooth LE devices authenticate by exchanging the cryptographic keys registered during the pairing phase, reconnect and continue to operate.
The problem highlighted by the researchers lies in the fact that the official specifications of Bluetooth LE do not contain a sufficiently strong language to describe the reconnection process, resulting in two intrinsic problems of the standard: firstly, authentication at reconnection is optional rather than being mandatory, secondly, authentication could be bypassed if the user's device fails to force the IoT device to authenticate the communicated data.
The weaknesses of the Bluetooth LE protocol open the doors to the BLESA attack: an attacker who is within the range of Bluetooth could bypass the checks related to the reconnection process, intercept traffic and send falsified data, misleading both a user, and the automated processes of the operating system.
The following video shows how it is possible to alter, for example, the information on the battery charge status of a smart ring detected by the smartphone.
The vulnerability described is not present in all implementations of Bluetooth LE: the researchers analyzed various software stacks used to support BLE communication in the various operating systems and found that:
- BlueZ (Linux-based IoT devices): the flaw exists, but the BlueZ development team has stated that they plan to deprecate the part of the code that allows BLESA attacks
- Fluoride (Android devices): the flaw exists and has been ascertained on smartphones used for research (including the Goolge Pixel XL with Android 10)
- IOS stack: the flaw existed but has already been corrected with an update of iOS and iPadOS 13.4 released last June
- Windows BLE Stack: It was immune to the flaw
The first major obstacle concerns the need to develop specific corrective patches that will then have to be distributed to all devices at risk – and on this point it is up to the producers and developers of the various software platforms.
It must also be considered that not all Bluetooth LE devices can be updated: if it is possible with a smartphone, with a PC or a tablet, it is not necessarily the case with IoT devices that have limited resources and that do not support updates. software. In the case of these products, avoiding a BLESA attack may be impossible.
However, it should be noted that, like other vulnerabilities affecting the Bluetooth interface – we recall among the various BlueFrag discovered at the beginning of the year – this also assumes that whoever lands the attack is within the range of action of the Bluetooth; therefore the risk cannot be completely excluded but is objectively lower than that of cyber attacks carried out remotely.
Credits opening image: Pixabay
The 5G that does not give up anything? Motorola Edge, on offer today by Techberry for 447 euros or from Amazon for 535 euros.