A new security flaw in the Bluetooth software stack discovered over the summer has the potential to affect billions of smartphones, laptops and IoT devices using the Bluetooth Low Energy (BLE) protocol.
The new vulnerability has been given the name BLESA (Bluetooth Low Energy Spoofing Attack) by the team of seven academic researchers at Purdue University who first discovered it.
Unlike the recently discovered BLURtooth vulnerability that deals with how Bluetooth devices pair with one another, BLESA was found in the reconnection process. Reconnections occur when two BLE devices move out of range and then move back into range. Normally BLE devices check the cryptographic keys negotiated during the pairing process when reconnecting.
However, Purdue’s research team found that the official BLE specification did not contain strong-enough language to describe the reconnection process properly leading to two systemic issues making their way into BLE software implementations.
The first deals with the fact that authentication during device reconnection is optional as opposed to mandatory while the second relates to how authentication can potentially be circumvented if a user’s BLE device fails to force another device to authenticate the cryptographic keys sent while reconnecting.
As a result of these two issues, billions of devices could be vulnerable to BLESA attacks where a nearby attacker bypasses reconnection verification and sends spoofed data to a BLE device with incorrect information. This can lead both humans and automated processes to make incorrect decisions when it comes to allowing two devices to reconnect with one another.
Thankfully, the issue does not affect all BLE real-world implementations according to Purdue’s researchers who analyzed multiple software stacks across operating systems. The researchers found that BlueZ (Linux-based IoT devices), Fluoride (Android) and the iOS BLE stack are all vulnerable to BLESA attacks. However, the BLE stack in Windows devices is immune.
While Apple fixed the vulnerability in iOS and iPadOS 13.4, the Android BLE implementation in the researcher’s test device was still vulnerable. On Linux, the BlueZ development team has said that it will use code that implements proper BLE reconnection procedures to protect devices against BLESA.
In a paper titled “BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy”, Purdue’s researchers explained how BLESA attacks can be prevented, saying:
“To prevent BLESA, we need to secure the reconnection procedure between clients and their previously-paired server devices. We can achieve this by improving the BLE stack implementations and/or updating the BLE specification.”