A ‘BLESA’ flaw is affecting the re-connection process that occurs when a device moves back into range after losing or dropping its pairing, Purdue researchers have cautioned.
Academic researchers have found a Bluetooth Low Energy (BLE) vulnerability that lets spoofing attacks that could affect the way humans & machines carry out tasks. It potentially impacts on billions of Internet of Things (IoT) devices, researchers explained, & remains unpatched in Android devices.
The BLE Spoofing Attacks (BLESA) flaw arises from authentication issues in the process of device re-connection. This is an area often overlooked by security experts. Re-connections occur after 2 devices are connected & then 1 moves out of range or disconnects & then connects again, according to a paper published recently by Purdue University researchers.
Re-connections are common in industrial IoT environments, e.g., where sensors may periodically connect to a server to transmit telemetry data, for instance, before disconnecting & going into monitoring mode.
A successful BLESA attack allows bad players to connect with a device (by getting around re-connection authentication requirements) & send spoofed data to it. In the case of IoT devices, those malicious packets can convince machines to carry out different or new behaviour. For humans, attackers could feed a device deceptive information.
The vulnerability is particularly significant due to the wide use of the BLE protocol which, because of its energy efficiency & simplicity of use, is used by billions of devices to pair & connect, said the team – comprised of researchers Jianliang Wu, Yuhong, Vireshwar, Dave (Jing) Tian, Antonio Bianchi, Mathias Payer & Dongyan Xu.
“To ease its adoption, BLE requires limited or no user interaction to establish a connection between 2 devices,” researchers wrote. “Unfortunately, this simplicity is the root cause of several security issues.”
The paper shows the ease with which an attacker can launch a BLESA attack: A threat player, when discovering the server to which a BLE-enabled device is connected, also pairs with it to it to obtain its attributes.
This is simple because the BLE protocol is designed to allow any device to connect with another BLE device to get this info, researchers explained.
BLE further facilitates access for an attack because its advertising packets are always transmitted in plain text, so an attacker can easily impersonate the benign server by advertising the same packets & cloning its MAC address, they observed.
In an attack’s next phase, the threat player starts broadcasting spoofed advertising packets to ensure that whenever the client attempts to start a new session with the previously paired server, it receives the spoofed advertising packets, researchers outlined.
“At this point, the adversary is ready to launch BLESA against the client,” they wrote.
The paper focuses on 2 critical weaknesses in the BLE spec that allow for BLESA attacks. One of the issues occurs if the authentication during the device re-connection is marked as optional instead of mandatory. “The client & the server may choose to disable authentication for a specific attribute,” researchers described. “Therefore, in the case of the basic attribute, the confidentiality, integrity & authenticity goals of the attribute-access request & response can be violated.”
The other weakness arises because the specification provides 2 possible authentication procedures when the client reconnects with the server after pairing, meaning that authentication can potentially be circumvented, said researchers, who describe both types of attacks in detail in the paper.
Attackers can use BLESA on BLE implementations on Linux, Android & iOS platforms, researchers explained. Specifically, Linux-based BlueZ IoT devices, Android-based Fluoride & the iOS BLE stack are all vulnerable, while Windows implementations of BLE remain unaffected, they went on to say.
Researchers contacted Apple, Google & the BlueZ team about the vulnerabilities, with Apple assigning CVE-2020-9770 to the flaw, & fixing it in June, they noted. However, “the Android BLE implementation in our tested device (i.e., Google Pixel XL running Android 10) is still vulnerable,” they further cautioned.
The BlueZ development team said it would replace the code that opens its devices to BLESA attacks with code that uses proper BLE re-connection procedures that are not susceptible to attacks, according to researchers.
This is the 2nd major bug found in Bluetooth this month. Last week, the “BLURtooth” flaw was announced, which allows attackers within wireless range to bypass authentication keys & spy on devices in man-in-the-middle attacks.