New ‘BLESA’ Bluetooth Vulnerability Could Affect Billions of IoT Devices, Researchers Warn

A new Bluetooth vulnerability could potentially affect billions of smartphones and IoT devices running on Bluetooth Low Energy (BLE) protocol, researchers from Purdue University warn.

Unlike the latest BLURtooth vulnerability that refers to the way Bluetooth devices pair with one another, BLESA (Bluetooth Low Energy Spoofing Attack) was discovered in the reconnection process of BLE devices.

Due to the energy-efficient wireless communication facilitated by the BLE protocol, many IoT devices require limited or no user interactions to establish a connection between them.

Purdue’s research team discovered two design weaknesses in the BLE authentication mechanism that could enable an attacker to impersonate a BLE device and provide spoofed data to a previously paired device:

  • Authentication during device reconnection is optional as opposed to mandatory
  • Authentication can be circumvented if a user’s device fails to force another device to authenticate the cryptographic keys sent while reconnecting

“These weaknesses, in some BLE stack implementations, allow an attacker to launch a spoofing attack in which the attacker pretends to be a previously-paired server device, inducing a client device into accepting spoofed data,” researchers said.

During their analysis of BLE devices, the team discovered that various operating systems are vulnerable to BLESA attacks, including BlueZ (Linux-based IoT devices), Fluoride (Android), and iOS. Fortunately, the Windows BLE stack found on devices running Windows operating systems were immune to such attacks.

“For instance, we found that the BLE protocol stack used in Linux client devices (e.g., Linux laptops), while following the BLE specification correctly, is susceptible to the identified spoofing attack,” the report said.

“We found a similar implementation issue in the BLE stack used by Android devices and in that used by iOS devices. This issue makes many Android and iOS devices vulnerable to the identified attack.”

While Apple confirmed and fixed the vulnerabilities assigned to CVE-2020-9770 (for iOS and iPadOS 13.4), researchers said that the “Android BLE implementation in our tested device (i.e., Google Pixel XL running Android 10) is still vulnerable.”