A flaw in Bluetooth devices has left billions of devices, mostly Android smartphones, vulnerable to hackers and attackers that can access them without proper authorization, researchers discovered.
Researchers from Purdue University in Indiana have published a report on a flaw named BLESA—Bluetooth Low Energy Spoofing Attack—that affects Android smartphone and tablet devices, Linux computers and servers, and wearable and smart devices that run on similar platforms.
iOS devices such as iPhones and iPads were also exposed to the same vulnerability. However, Apple has already taken precautions against the flaw with its iOS 13.4 and iPad OS 13.4 patch fix released in March.
Additionally, tech news and review site Tom's Guide reported that according to BLESA study lead researcher Jianlang Wu, Windows devices are not vulnerable to the flaw. However, the researchers were not able to rest the vulnerability of macOS against BLESA.
Exploiting Vulnerabilities in the Bluetooth Low Energy Protocol
The report from Purdue University demonstrated the design weaknesses in the Bluetooth Low Energy (BLE) protocol by creating scenarios that enable BLESA. It includes certain BLE implementations in Linux devices, and later in Android and iOS.
Their assessment, based on the market value of potentially compromised devices, is at $4.55 billion in 2016 and is projected to grow up to $5.34 billion by 2023.
BLE devices, like smartphones, rely on pairing during their first time connecting with each other. After pairing, reconnection between either device is usually transparent to each user. Purdue researchers noted this situation as the source of the vulnerability. Their inquiry focuses on the automated reconnection between previously paired devices.
"We strived to investigate the reconnection procedure for potential security flaws. In our research, we first theoretically analyzed the reconnection procedure by carrying out the formal verification of the connection procedures proposed in the most recent BLE specification." Wu said.
The most critical design flaws in the BLE protocols are: (1) paired device reconnection authentication is only optional, not mandatory; and (2) potential bypassing of the authentication process in devices that fail to enforce the IoT device in authenticating data.
To test the design flaws in actual devices, researchers looked into BLE stack implementations, including BLE protocol stacks in Linux, Windows, iOS, and Android devices. Only Windows devices did not exhibit a vulnerability to the flaw.
Working Against the Potentially Massive Flaw
Purdue University researchers have reported the results of their studies to both Google and Apple, developers of Android and iOS devices, respectively. Both tech giants confirmed the flaw, with Apple assigning the identification CVE-2020-9770, while Google tagged it as CVE-2019-2225. The researchers' findings were also presented at the recent 14th USENIX Workshop on Offensive Technologies (WOOT) last August.
"Specifically, the design weakness and vulnerabilities allow the attacker to bypass the authentication in BLE reconnections, which can lead to spoofing attacks against the user's devices," Wu explained. He added that the attacker could impersonate all IoT device data not protected by additional app-level authentication.
Users can prevent malicious BLESA attacks by updating their device firmware to the latest version, including the security patches to block the flaw. These updates will also update BLE specifications and stack implementations.
Check out more news and information on Tech & Innovation on Science Times.