A newly discovered critical vulnerability in the Bluetooth software stack has the potential to expose billions of devices to hacking.
Detailed by researchers at Purdue University, the new vulnerability has been dubbed BLESA, short for Bluetooth Low Energy Spoofing Attack. The vulnerability relates to the reconnection process in the BLE software stack.
That process is where two previously paired Bluetooth devices reconnect and involves both devices checking each other’s cryptographic keys to reconnect. But as per the research, the standard in the software means the checking part isn’t compulsory.
Specifically, the software standard sets authentication during a reconnect as optional, opening the door to an attack. In addition, authentication can be circumvented if a BLE device fails to force another device to authenticate cryptographic keys while reconnecting.
The vulnerability doesn’t exist in all implementations of BLE, and Windows is surprisingly immune. The vulnerability was, however, found in BlueZ, a Linux-based implementation of BLE used in “internet of things” devices; Flouride, used in Android; and in the iOS BLE stack. Apple Inc. is said to have fixed the vulnerability in iOS and iPadOS 13.4, while Android BLE remains vulnerable.
“To prevent BLESA, we need to secure the reconnection procedure between clients and their previously-paired server devices,” the report concludes. “We can achieve this by improving the BLE stack implementations and/or updating the BLE specification.”
Given the extent to which BLE is used across billions of devices ranging from computers, smartphones and IoT devices, the implication of the vulnerability is staggeringly large in term of security.
“The BLESA vulnerability could have far-reaching, long-lasting impact and opens Bluetooth devices up to a range of possible attacks,” Paul Bischoff, privacy advocate at research firm Comparitech Ltd., told SiliconANGLE. “Those attacks will vary depending on the Bluetooth device and what information it sends over BLE when reconnecting. Given the ubiquity of BLE and the fact that many Bluetooth IoT devices don’t have automatic update mechanisms, the vulnerability might never be patched on many devices, and so will remain a viable attack vector for a long time.”
Chris Hauk, consumer privacy champion at privacy site Pixel Privacy, noted that this is just the latest discovery to involve security issues with Bluetooth connections.
“Unfortunately, as it has been with previous Bluetooth bugs, sysadmins face a nightmare of attempting to patch all vulnerable devices and that’s only if there is a patch available,” he said. “It is also unfortunate that standard users of mobile and other devices will not patch their devices if and when a patch becomes available.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.