BLESA: The New Bluetooth Vulnerability Putting Billions of Devices At Risk

Must Read

Indian Marketers To Invest More On Social Media In 2013: 52% Focus On Customer Acquisition [Report]

Majority of e-Marketers are focusing on Customer Acquisition via Social Media in 2013, according to a latest e-Marketing research...

Are You A Gaming Geek: ‘Five Commandments’ Before You Buy Video Games Online !

Does your day start with joysticks instead of coffee mugs? Or as a kid your best friends were the...

Apple Inc. (AAPL) 5.5 Inch Screen iPhone 6 Could Be A Game Changer: Rumors Claims 5.7-Inch iPhone 6C

Apple Inc. (NASDAQ:AAPL) looks set to release iPhone 6 with a 4.7 inch screen in September this year. Mass production for...

With the ever-changing technology, the war against hackers and those intent upon malicious data theft are eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even cleverer than before. This is once again proven with the new Bluetooth vulnerability that has put billions of devices on the risk of getting hacked.

A new security flaw in the Bluetooth software stack is discovered during the summer. It has the potential to affect billions of smartphones, laptops and IoT devices using the Bluetooth Low Energy (BLE) protocol which eventually opens up a potential gateway to valuable data losses.

The new vulnerability has been abbreviated BLESA (Bluetooth Low Energy Spoofing Attack) by the team of seven academic researchers at Purdue University who first brought it to light over the course of their research during the summer.

Advertisements

The issue differs from the recently discovered BLURtooth vulnerability though. In the BLESA process, two previously paired Bluetooth devices reconnect and involves both devices checking each other’s cryptographic keys to reconnect. As per the research now, the standard in the software means the checking part isn’t compulsory.

Going into the specifics, the software standard present, sets authentication during a reconnect as optional, thereby opening the door to an attack. Not only this, the authentication part can be circumvented if a BLE device fails to force another device to authenticate cryptographic keys while reconnecting.

As a result of this newfound problem, billions of devices could be vulnerable to BLESA attacks where any nearby attacker could bypass reconnection verification, sending spoofed or malicious data to the targeted BLE device. Both humans and automated processes are placed at risk to make incorrect decisions when it comes to allowing two devices to reconnect with one another.

BLE has been even more popularly adopted over the past decade, owing to its battery saving capabilities. It has acquired a near-ubiquitous technology across almost all battery-powered devices.

Security researchers and academics have also repeatedly probed BLE for security flaws across the years, often finding major issues, ever since it first surfaced.

Advertisements

However, one silver lining in the whole situation is that the issue does not affect all BLE real-world implementations according to Purdue’s researchers who analysed multiple software stacks across operating systems. According to the data, the researchers found that BlueZ (Linux-based IoT devices), Fluoride (Android) and the iOS BLE stack are those which are vulnerable to BLESA attacks.

While the BLE stack in Windows devices was found to be surprisingly immune, tech titan Apple fixed the vulnerability in its iOS and iPadOS 13.4. The same cannot be said of Android BLE implementation, as it is still being deemed vulnerable.

All in all, defending against most Bluetooth attacks usually means pairing devices in controlled environments. With BLESA, it ordains a much harder task, since the attack targets the more often-occurring reconnect operation.

The group of researchers have also released a paper titled “BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy”, in order to better explain how BLESA attacks can be prevented.

“To prevent BLESA, we need to secure the reconnection procedure between clients and their previously-paired server devices. We can achieve this by improving the BLE stack implementations and/or updating the BLE specification.”

Sadly, this spells a nightmare for system admins, because just like with all the previous Bluetooth bugs, patching some devices might not be an option, and all vulnerable devices are left at the mercy of their software suppliers to come up with a patch addressing the issue.

While the developers come up with a solution, the standard mobile user would do better to keep their eyes peeled for the new update. Till then, watch out for your device and stay tuned to this space for more updates.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

The Squid Game In Real Life Is Equally Exciting As The Netflix Show Worth $900 Million

From Halloween to Netflix, from real life to reel life, the South Korean Netflix show Squid Games has taken...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded and unparalleled...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter, with a...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one of the...

More Articles Like This