Recently, researchers discovered a new BLESA attack that exploits the often ignored Bluetooth reconnection process. Read on to know more…
The Bluetooth Low Energy (BLE) protocol has been even more popularly adopted over the past decade, owing to its battery saving capabilities. It has acquired a near-ubiquitous technology across almost all battery-powered devices. This near-ubiquitous technology has been found vulnerable against a newly discovered attack. A new spoofing attack called BLESA was discovered that exploits vulnerabilities in the reconnection procedure between two previously paired (BLE) devices. Security researchers and academics have also repeatedly probed BLE for security flaws across the years, often finding major issues, ever since it first surfaced.
BLESA Attack
The improper Bluetooth Low Energy reconnection procedure has made billions of Android and iOS devices vulnerable to the new attack dubbed Bluetooth Low Energy Spoofing Attack (BLESA). Two critical security flaws in the BLE link-layer authentication mechanism expose Bluetooth devices to the BLESA attack. These weaknesses allow an attacker to impersonate a BLE server device and provide spoofed data to another previously paired device.
Purdue University researchers found that multiple software stacks (more than one billion BLE devices and 16,000 BLE apps) such as BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack could be exploited using the BLESA flaw. Additionally, researchers found a related implementation vulnerability (CVE-2020-9770) in the Android and iOS BLE stacks that makes these two stacks vulnerable against BLESA.
Recent Bluetooth Threats
The design weaknesses and implementation flaws in the Bluetooth stacks have caused several security issues in recent times.
Earlier this month, another vulnerability dubbed BLURtooth was found in a Cross-Transport Key Derivation (CTKD) component of Bluetooth. By setting up two different sets of authentication keys for both the BLE and Basic Rate/Enhanced Data Rate (BR/EDR) standard, it lets attackers overwrite Bluetooth authentication keys.
In July, researchers reported an authentication bypass in BLE reconnections using two critical design weaknesses in BLE stack implementations in Linux, Android, and iOS. Google and Apple also confirmed the flaw.
Mitigation
The BLESA attack targets more often-occurring reconnection processes, therefore it is hard to defend against this attack. Purdue’s team has released a report related to possible improvements in the reconnection procedure. According to them, there is a need to improve the BLE stack implementations and update the BLE specification.
Defending against most Bluetooth attacks usually means pairing devices in controlled environments. With BLESA, it ordains a much harder task, since the attack targets the more often-occurring reconnect operation.
The group of researchers have released a paper titled “BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy”, in order to better explain how BLESA attacks can be prevented.