Bluetooth Spoofing Bug Affects Billions of IoT Devices

bleedingbit vulnerability

The ‘BLESA’ flaw affects the reconnection process that occurs when a device moves back into range after losing or dropping its pairing, Purdue researchers said.

A team of academic researchers have discovered a Bluetooth Low Energy (BLE) vulnerability that allows spoofing attacks that could affect the way humans and machines carry out tasks. It potentially impacts billions of Internet of Things (IoT) devices, researchers said, and remains unpatched in Android devices.

The BLE Spoofing Attacks (BLESA) flaw arises from authentication issues in the process of device reconnection — an area often overlooked by security experts. Reconnections occur after two devices are connected and then one moves out of range (or disconnects) and then connects again, according to a paper published recently by researchers at Purdue University. Reconnections are common in industrial IoT environments, for example, where sensors may periodically connect to a server to transmit telemetry data, for instance, before disconnecting and going into monitoring mode.

A successful BLESA attack allows bad actors to connect with a device (by getting around reconnection authentication requirements) and send spoofed data to it. In the case of IoT devices, those malicious packets can convince machines to carry out different or new behavior. For humans, attackers could feed a device deceptive information.

The vulnerability is particularly significant due to the ubiquity of the BLE protocol which, because of its energy efficiency and simplicity of use, is used by billions of devices to pair and connect, said the team—comprised of researchers Jianliang Wu, Yuhong, Vireshwar, Dave (Jing) Tian, Antonio Bianchi, Mathias Payer and Dongyan Xu.

Threatpost Webinar Promo Bug Bounty

Click to register.

“To ease its adoption, BLE requires limited or no user interaction to establish a connection between two devices,” researchers wrote. “Unfortunately, this simplicity is the root cause of several security issues.”

The paper describes the ease with which an attacker can launch a BLESA attack: A threat actor, upon discovering the server to which a BLE-enabled device is connected, also pairs with it to it to obtain its attributes. This is easy because the BLE protocol is designed to allow any device to connect with another BLE device to get this info, researchers wrote.

BLE further facilitates access for an attack because its advertising packets are always transmitted in plain-text, so an attacker can easily impersonate the benign server by advertising the same packets and cloning its MAC address, they said.

In an attack’s next phase, the threat actor starts broadcasting spoofed advertising packets to ensure that whenever the client attempts to start a new session with the previously-paired server, it receives the spoofed advertising packets, researchers explained.

“At this point, the adversary is ready to launch BLESA against the client,” they wrote.

The paper focuses on two critical weaknesses in the BLE spec that allow for BLESA attacks. One of the issues occurs if the authentication during the device reconnection is marked as optional instead of mandatory. “The client and the server may choose to disable [authentication] for a specific attribute,” researchers wrote. “Therefore, in the case of the basic attribute, the confidentiality, integrity and authenticity goals of the attribute-access request and response can be violated.”

The other weakness arises because the specification provides two possible authentication procedures when the client reconnects with the server after pairing, meaning that authentication can potentially be circumvented, said researchers, who describe both types of attacks in detail in the paper.

Attackers can use BLESA on BLE implementations on Linux, Android and iOS platforms, researchers said. Specifically, Linux-based BlueZ IoT devices, Android-based Fluoride and the iOS BLE stack are all vulnerable, while Windows implementations of BLE remain unaffected, they said.

Researchers contacted Apple, Google and the BlueZ team about the vulnerabilities, with Apple assigning CVE-2020-9770 to the flaw and fixing it in June, they noted. However, “the Android BLE implementation in our tested device (i.e., Google Pixel XL running Android 10) is still vulnerable,” they said.

The BlueZ development team said it would replace the code that opens its devices to BLESA attacks with code that uses proper BLE reconnection procedures that aren’t susceptible to attacks, according to researchers.

This is the second major bug found in Bluetooth this month. Last week, the “BLURtooth” flaw was announced, which allows attackers within wireless range to bypass authentication keys and snoop on devices in man-in-the-middle attacks.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.



Suggested articles