Security Researchers Warn of BLESA Vulnerability — Bluetooth Low Energy Spoofing Attacks
Critical security weaknesses in the Bluetooth Low Energy specification itself leave devices open to eavesdropping, injection attacks.
Security researchers at Purdue University and the École polytechnique fédérale de Lausanne (EPFL) have warned of a new security vulnerability affecting Bluetooth Low Energy (BLE) devices: Bluetooth Spoofing Attacks (BLESA).
"The Bluetooth Low Energy (BLE) protocol ubiquitously enables energy-efficient wireless communication among resource-constrained devices. To ease its adoption, BLE requires limited or no user interaction to establish a connection between two devices. Unfortunately, this simplicity is the root cause of several security issues," the researchers warn. "We analyze the security of the BLE link-layer, focusing on the scenario in which two previously-connected devices reconnect. Based on a formal analysis of the reconnection procedure defined by the BLE specification, we highlight two critical security weaknesses in the specification. As a result, even a device implementing the BLE protocol correctly may be vulnerable to spoofing attacks."
"To demonstrate these design weaknesses, and further study their security implications, we develop BLE Spoofing Attacks (BLESA). These attacks enable an attacker to impersonate a BLE device and to provide spoofed data to another previously-paired device. BLESA can be easily carried out against some implementations of the BLE protocol, such as the one used in Linux. Additionally, for the BLE stack implementations used by Android and iOS, we found a logic bug enabling BLESA. We reported this security issue to the affected parties (Google and Apple), and they acknowledged our findings."
Presented at the 14th USENIX Workshop on Offensive Technologies (WOOT '20), the vulnerability can be exploited by an attacker with the ability to eavesdrop, intercept, and modify legitimate messages and to inject novel messages into the communication stream — but without the cryptographic key, which is supposed to prevent any such interception, modification, and injection.
The presentation is available on the USENIX YouTube channel, while the team's paper is available to download as a PDF under open-access terms.