Bluetooth spoofing flaw affects billions of IoT devices

A Purdue University research team has discovered a Bluetooth Low Energy (BLE) vulnerability, BLESA, that can be used to launch spoofing attacks that affect the way humans and machines perform tasks. The vulnerability could affect billions of Internet of Things (IoT) devices and remains unpatched in Android devices, the researchers said.

The BLE Spoofing Attack (BLESA) flaw stems from authentication issues that occur during the reconnection process after a device goes offline, an area that is often overlooked by security experts. Reconnection is common in industrial IoT environments, where sensors can periodically connect to a server to transmit telemetry data, for example, before disconnecting and entering monitoring mode.

A successful BLESA attack allows a bad attacker to connect with the device (by bypassing the reconnect authentication requirement) and send it spoofed data. For IoT devices, these malicious packets can convince computers to perform new actions. For humans, attackers may provide device spoofing information.

The team, consisting of researchers Wu Jianliang (transliteration), Yu Hong (transliteration), Wireshwar, Tian Dafu (Jing) Tian, ​​Antonio Bianchi, Matthias Payer and Xu Dongyan (transliteration), due to The ubiquity of the BLE protocol makes the severity of this vulnerability high.

“To simplify its adoption, BLE requires limited or no user interaction to establish a connection between two devices,” the researchers wrote. “Unfortunately, this simplicity is the root cause of multiple security concerns.”

The paper published by the researchers (link at the end of the article) describes how an attacker can easily launch a BLESA attack: when an attacker discovers a server that a BLE-enabled device is connected to, it pairs with it to obtain its properties. This is easy because the BLE protocol is designed to allow any device to connect to another BLE device to get this information.

The paper points out that BLE also facilitates access for attackers because its broadcast packets are always transmitted in plain text, so an attacker can easily simulate a benign server by broadcasting to the same packet and cloning its MAC address.

The researchers explained that in the next stage of the attack, the threat actor starts broadcasting spoofed advertising packets to ensure that the spoofed advertising packets are received every time the client tries to start a new session with a previously paired server.

The paper highlights two key vulnerabilities in the BLE specification that allow BLESA attacks. The first vulnerability is triggered if authentication during device reconnection is marked as optional rather than mandatory. Another vulnerability is that the specification provides two possible authentication processes when the client reconnects to the server after pairing, which means that authentication may be bypassed.

Attackers can use BLESA on BLE implementations on Linux, Android and iOS platforms, the researchers said. Specifically, Linux-based BlueZ IoT devices, Android-based Fluoride, and iOS’s BLE stack were all vulnerable, while the Windows implementation of BLE was not affected.

The researchers contacted Apple, Google, and the BlueZ team about the vulnerability, and they found that Apple assigned CVE-2020-9770 to the vulnerability in June and fixed it. However, the Android BLE implementation in the devices tested (i.e. Google Pixel XL phones running Android 10) is still fragile.

According to the researchers, the BlueZ development team said they would replace code that was vulnerable to the BLESA attack, using the proper BLE reconnection procedure, which would not be vulnerable.

This is the second major bug found in Bluetooth this month. Last week, the “BLURtooth” vulnerability was disclosed, allowing attackers within wireless range to bypass authentication keys and perform man-in-the-middle attacks.

References

BLESA: Spoofing attack against BLE reconnection

https://friends.cs.purdue.edu/pubs/WOOT20.pdf

The Links:   AM80A-300L-120F18   CM100DU-24F