Bluetooth reconnection flaw exposes 1 billion BLE devices and 16,000 BLE apps to BLE Spoofing Attacks (BLESA)
A team of researchers has uncovered a new vulnerability in the Bluetooth wireless communication protocol that exposes nearly 1 billion Bluetooth Low Energy (BLE) devices and 16,000 BLE Apps. Bluetooth Low Energy (BLE) is the most common Bluetooth protocol used by mobile and IoT devices to communicate with each other. The researchers have found that potential hackers can exploit a reconnection flaw in the BLE protocol to mount BLESA or BLE Spoofing Attacks.
The research team consists of Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, Antonio Bianchi, Mathias Payer, and Dongyan Xu and analyzed BLE to reveal two critical design weaknesses of BLE:
- For some BLE devices, the authentication during the device reconnection is optional instead of mandatory.
- For other BLE devices, the authentication can potentially be circumvented if the user’s device fails to enforce the IoT device to authenticate the communicated data.
BLE devices often use a very unique pairing process to connect to each other. But once, the initial pairing is done, the reconnections are automatic and happen without the knowledge or consent of the user. Bluetooth devices often move out of range and then move back into range again later, and re-establish automatic connection with a previously paired Bluetooth device without any user interaction. Purdue researchers found a vulnerability in the reconnection procedures for previously paired BLE devices.
PoC Video of BLESA attack on Oura Ring fitness tracker
In this video, the Purdue University researchers have demonstrated how they could exploit the reconnection vulnerability in BLE device and conduct spoofing attack against Oura Ring fitness tracker:
After discovering the inherent flaw in how the BLE reconnects without authentication, the researchers analyzed mainstream BLE stack implementations, including BLE protocol stacks on Linux, Android, iOS, and Windows. After analyzing, Purdue University researchers conclude that more than 1 billion BLE devices and 16,000 BLE apps could be vulnerable to BLESA.
|Platform||OS and Version||BLE Stack implementation|
|Google Pixel XL||Android 8.1, 9, 10||Fluoride|
|Apple iPhone 8||iOS 12.1, 12.4, 13.3||iOS BLE stack|
|Linux Laptop||Ubuntu 18.04||BlueZ 5.48|
The researchers say that BLESA could be prevented if users update the BLE specification and the current BLE stack implementations in Linux, Android, and iOS to secure the reconnection procedure. Users should install the most recent version of the firmware to apply the required security patches to fix the vulnerabilities. Apple has fixed the issue in iOS 13.4 and iPadOS 13.4.