Bluetooth is currently used in many iOT devices, however the recent research has shown that the common “Bluetooth Reconnection” flaw could lead to a “Spoofing attack”.
This particular vulnerability was discovered by a group of researchers at Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS), and, it affects many iOT devices that are running Bluetooth.
The vulnerability was mainly discovered in Bluetooth Low Energy, which is also known as B.L.E.
What is Bluetooth Low Energy (BLE)?
Bluetooth low energy is nothing but a power-saving variant of Bluetooth Personal Area Network (PAN) and this technology was introduced in the Bluetooth 4.0. It is the most widely used low-energy communication protocol in Smartphone mobiles and iOT devices.
As we all are aware that Bluetooth devices needs to be paired and that’s the same case in BLE. Pairing is necessary process as the two devices build trust with each other when they connect for the first time. However, after that pairing is not needed unless one or the other device is removed from the paired list, in other words as long as the devices remains in the paired list they can reconnect with other without any issue.
Bluetooth device can also get disconnected if they’re out of a specific range because the range of bluetooth is limited. However, once back in the range the devices can re-establish the connection with each other without any problems. So the researchers at the Purdue university targeted this “Reconnection procedure” that usually takes between the two the paired devices.
When the two devices move out of range they get disconnected and once they’re back in range they re-establishes the existing connection by reconnecting with each other, however when this happens not a single notification is sent to user’s phone or device.
If the user is not in the “settings” he won’t find out the notification unless and until the icon of Bluetooth appears and so the researchers decided to study this entire process.
Hence in their study they found that there are two critical weaknesses in the design of BLE.
- For some BLE devices the authentication is a optional process and it is not mandatory.
- For some other BLE devices that it is possible to find a way around the authentication process and completely bypass the authentication, if the user’s device fails the enforce the iOT device to authenticate the communication.
The researchers also analyzed mainstream BLE stack implementation including the protocol stacks on Android, iOS and finally on Linux, this was to see that the real-world devices are vulnerable to the security flaw or not and three of the tested devices were found vulnerable to this flaw.
The impact of this Bluetooth Reconnection flaw
The impact of this vulnerability is HUGE on the mainstream platforms as a recent study has found that more than 1 Billion BLE devices don’t use the “Application layer” security which could have provided the second line of defense against this vulnerability. Also more than 6000 Android & iOS apps with the BLE utility reads the data transmitted from BLE devices in plaintext and not in the encrypted format.
The researchers have reported this to Apple and Google and both the companies have confirmed and verified the findings. Apple even assigned CVE-2020-9770 to the vulnerability and Apple has even fixed the issue in iOS 13.4 and iPadOS 13.4.
The Platforms, OS, Version and BLE stack implementation
|Platform||OS and Version||BLE Stack implementation|
|Google Pixel XL||Android 8.1, 9, 10||Fluoride|
|Apple iPhone 8||iOS 12.1, 12.4, 13.3||iOS BLE stack|
|Linux Laptop||Ubuntu 18.04||BlueZ 5.48|
The Final Takeout and Preventive measures
The vulnerability or the weakness is in the design itself and because of this the attacker can bypass the authentication in BLE reconnection procedure and in return launch a spoof attack on the user, also the attacker can easily impersonate all the iOT Devices data that are not protected by the “Application layer” security.
The researchers have shows the “DEMO” in the video which is on the official page hosted by Purdue university. If you’re interested you can check the demo video : Pursec Lab Purdue University.
The preventive measure that you can do to protect your device and computer is to update the firmware and patch the vulnerability, this is because the firmware update also updates the BLE specification and BLE Stack implementations, so all you have to do is update your Linux, Android and iOS versions.