Bluetooth Low Energy Spoofing Attack Endangers Billions of Devices

Here comes a new major, massive vulnerability that affects billions of devices, including smartphones, tablets, laptops, and IoT appliances.

Dubbed BLESA, OR Bluetooth Low Energy Spoofing Attack, the flaw affects devices that run the Bluetooth Low Energy protocol, shortly known as BLE.

What Is BLE?

BLE is a wireless personal area network that is designed to serve novel applications in the sectors of healthcare, fitness, beacons, security, and home entertainment. BLE was created by the Bluetooth Special Interest Group (Bluetooth SIG). It is the most widely adopted low-energy communication protocol, and, by 2023, the number of BLE-enabled devices is expected to reach 5 billion.

Due to the vast adoption of this protocol, security researchers have been probing it for flaws. Previous research mainly focused on issues in the pairing process, thus ignoring large parts of the protocol.

The BLESA Bluetooth vulnerabilities

However, a group of seven academics at Purdue University decided to analyze a section of BLE that is central to day-to-day BLE operations.

In their paper titled “BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy”, the researchers analyze the security of the BLE link-layer, focusing on the scenario in which two previously-connected devices reconnect.

Based on a formal analysis of the reconnection procedure defined by the BLE specification, the team highlights two critical security issues in the specification. As a result, even a device implementing the BLE protocol correctly may be vulnerable to spoofing attacks, the report says.

When two Bluetooth devices are reconnecting, it means that the devices went of range and then moved back into range later. During the reconnecting process, the BLE devices should check each other’s cryptographic keys which were negotiated during the pairing procedure. Then, they should be able to reconnect and exchange data via BLE.

The researchers discovered “that the BLE specification allows implementing several aspects of this protocol in multiple ways, some of which are vulnerable. For this reason, even BLE stack implementations correctly following the specification can potentially be susceptible to spoofing attacks. For instance, we found that the BLE protocol stack (when accessed via gatttool [26]) used in Linux client devices (e.g., Linux laptops), while following the BLE specification correctly, is susceptible to the identified spoofing attack.”

Furthermore, it turned out that the official BLE specification didn’t have language strong enough to describe the reconnection process, allowing for two systemic issues to appear in the software implementations.

Where can attackers exploit the BLESA vulnerabilities?

The vulnerabilities can be exploit on BLE implementations on Linux, Android, and iOS. More particularly, Linux-based BlueZ IoT devices, Android-based Fluoride and the iOS BLE stack are all prone to the attacks, while Windows implementations of BLE are unaffected.

The research team got in touch with Apple, Google and the BlueZ team about the vulnerabilities. Apple assigned CVE-2020-9770 to the vulnerability and fixed it in June.. However, “the Android BLE implementation in our tested device (i.e., Google Pixel XL running Android 10) is still vulnerable,” the team noted.

Earlier this month, another serious Bluetooth vulnerability was reported. Dubbed BLURtooth, it allows attackers within wireless range to circumvent authentication keys in man-in-the-middle attacks.

In May, a flaw in the Bluetooth wireless protocol was announced. Called BIAS and given the CVE-2020-10135 identifier, it affects the classic version of the Bluetooth protocol. This means that devices, such as smartphones, tablets, laptops, smart IoT devices, relying on Bluetooth Classic were exposed.