A new vulnerability in the Bluetooth software stack discovered this summer could affect billions of smartphones, laptops and IoT devices that use the Bluetooth Low Energy (BLE) protocol.
The new vulnerability was named BLESA (Bluetooth Low Energy Spoofing Attack) by the team of seven Purdue University academic researchers who first discovered it.
Unlike the recently discovered BLURtooth vulnerability that deals with pairing Bluetooth devices, BLESA was found during the reconnection process. Reconnections occur when two BLE devices are out of range and then back in range. Typically, BLE devices check the cryptographic keys that were negotiated during the pairing process when the connection is reestablished.
However, the Purdue research team found that the official BLE specification did not have strong enough language to properly describe the reconnection process, which led to two systemic problems that invaded the implementation of BLE software.
The first deals with the fact that authentication is optional and not mandatory during device reconnection, while the second deals with how authentication can possibly be bypassed if a user̵
As a result of these two issues, billions of devices can be vulnerable to a BLESA attack, in which a nearby attacker bypasses reconnect verification and sends spoofed data with incorrect information to a BLE device. This can lead both humans and automated processes to make wrong decisions when trying to reconnect two devices.
Fortunately, the problem does not affect all real-world BLE implementations, according to Purdue researchers, who analyzed multiple software stacks running under different operating systems. The researchers found that BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack are vulnerable to BLESA attacks. However, the BLE stack in Windows devices is immune.
While Apple fixed the vulnerability in iOS and iPadOS 13.4, the Android BLE implementation on the researcher’s test device was still vulnerable. On Linux, the BlueZ development team has announced they are using code that implements proper BLE reconnection procedures to protect devices from BLESA.
In an article entitled “BLESA: spoofing attacks against reconnections in Bluetooth Low EnergyExplaining how to prevent BLESA attacks, Purdue researchers said:
“To prevent BLESA, we need to ensure the reconnection procedure between clients and their previously paired server devices. We can do this by improving the BLE stack implementations and / or updating the BLE specification. “