A vulnerability has been discovered in the Bluetooth Low Energy (BLE) reconnection process that could be exploited by an attacker to bypass the reconnection authentication requirements and send spoofed data to a device.
The BLE protocol is a slimline version of standard Bluetooth that was developed to keep Bluetooth connections active while conserving battery power. Due to the low power requirements, BLE has proven popular with developers and is used in many different battery-powered devices. Any vulnerability in BLE has potential to affect billions of devices, including Internet of Things (IoT) devices and smartphones.
The flaw was discovered by academic researchers who were studying the reconnection process with BLE. The issues are due to authentication irregularities that occur during device reconnection. When two devices are connected via BLE, and the devices move out of range, the connection is lost. When the device come back into range, they reconnect. During the reconnection process, the two devices should check the cryptographic keys that were negotiated when the devices first connected.
The researchers found that the official BLE specification did not contain sufficiently strong language to describe the reconnection process, which has resulted in two issues with BLE software implementations. First, during reconnection, authentication is optional and not mandatory. Second, authentication can be circumvented if a device fails to enforce the IoT device to authenticate the communicated data.
The researchers explain how the issues could be exploited in a BLE Spoofing Attack (BLESA). In order to exploit the flaw, an attacker would need to be within range of a BLE device. The attacker could then bypass the authentication process and send spoofed data to the BLE device. The spoofed data could convince the BLE device to change its behavior or convince the user of the device to take certain actions. Unfortunately, it is a relatively easy process to exploit the flaw and an attacker could easily trigger a denial of service to force a device to disconnect, allowing them to trigger a reconnection on demand.
A BLESA attack could not be conducted on Windows devices due to Microsoft’s implementation of BLE; however the researchers confirmed that the flaw affects Android devices, and also BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack. Apple released an update in June 2020 to correct the flaw, but Android devices have yet to be patched. BlueZ said it is depreciating the code that permits BLESA attacks and will be implementing a proper reconnection procedure to prevent BLESA attacks.
Users of these devices can do little to prevent attacks and many IoT devices will remain susceptible to a BLESA attack as they have no in-built update mechanism.