Bluetooth hacks are not new, but hackers have found a completely new angle of attack on the protocol which has left billions of devices vulnerable to being hacked.
A team of security researchers at the Purdue University has discovered a weakness in how devices authenticate when reconnecting Bluetooth LE connection.
The Purdue research team said the official BLE specification was not strict enough in describing the implementation process which introduced the following weaknesses.
- The authentication during the device reconnection is optional instead of mandatory.
- The authentication can potentially be circumvented if the user’s device fails to enforce the IoT device to authenticate the communicated data.
This means hackers can force a disconnect (e.g. via interference) and then bypass reconnection verifications and sends spoofed data to a BLE device with incorrect information,
Researchers found that BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack were all vulnerable to BLESA attacks, while the BLE stack in Windows devices was immune.
Apple has already released a fix but billions of Android handsets are still vulnerable.
“As of June 2020, while Apple has assigned the CVE-2020-9770 to the vulnerability and fixed it, the Android BLE implementation in our tested device (i.e., Google Pixel XL running Android 10) is still vulnerable,” researchers said in a paper published last month.
Many IoT devices are not designs to be updated and may vulnerable forever.
See the hack demoed below: