A Bluetooth Low Energy (BLE) vulnerability was discovered by a team of academic researchers which allows spoofing attacks that could affect the way humans and machines carry out tasks.
This flaw potentially affects billions of Internet of Things (IoT) devices and remains unpatched in Android devices. The vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol which has been widely adopted over the past decade, due to its battery-saving features.
In a research project at Purdue University, a team of seven academics investigated a section of the BLE protocol which has rarely been analyzed for security issues.
The Bluetooth Low Energy Spoofing Attacks (BLESA) flaw arises from authentication issues in the process of device reconnection. Reconnections occur after two devices are connected and then one moves out of range (or disconnects) and then connects again.
The researchers found that the official BLE specification did not contain strong language to describe the reconnection process. So, two systemic issues occur in BLE software implementations,
The authentication during the device reconnection is optional instead of mandatory.
The authentication can potentially be circumvented if the user’s device fails to enforce the IoT device to authenticate the communicated data.
A successful BLESA attack lets threat actors to connect with a device and send spoofed data to it. In IoT devices, those malicious packets make the machines to perform differently. For humans, attackers could feed a device deceptive information.
A demo of BLESA attack is given below
The vulnerability is significant due to the ubiquity of the BLE protocol which is used by billions of devices to pair and connect.
Attackers can use BLESA on BLE implementations on Linux, Android and iOS platforms. Specifically, BlueZ (Linux-based IoT devices), Fluoride (Android-based) and the iOS BLE stack are all vulnerable, while Windows implementations of BLE remain unaffected.
The researchers contacted Apple, Google and the BlueZ team about the vulnerabilities. Apple has assigned CVE-2020-9770 to the flaw and fixed it in June. But, the Android BLE implementation in their tested device (i.e., Google Pixel XL running Android 10) is still vulnerable.
The researchers stated that the BlueZ development team said it would replace the code that opens its devices to BLESA attacks with code that uses proper BLE reconnection procedures that aren’t susceptible to attacks.