The improper BLE reconnection procedure has made billions of Android and iOS devices vulnerable to the new attack dubbed Bluetooth Low Energy Spoofing Attack (BLESA).
Two critical security flaws in the BLE link-layer authentication mechanism expose Bluetooth devices to the BLESA attack.
These weaknesses allow an attacker to impersonate a BLE server device and provide spoofed data to another previously paired device.
Researchers have found that multiple software stacks (more than one billion BLE devices and 16,000 BLE apps) such as BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack could be exploited using the BLESA flaw.
Additionally, researchers found a related implementation vulnerability (CVE-2020-9770) in the Android and iOS BLE stacks that makes these two stacks vulnerable against BLESA.
Earlier this month, another vulnerability dubbed BLURtooth was found in a Cross-Transport Key Derivation (CTKD) component of Bluetooth. By setting up two different sets of authentication keys for both the BLE and Basic Rate/Enhanced Data Rate (BR/EDR) standard, it lets attackers overwrite Bluetooth authentication keys.
In July, researchers reported an authentication bypass in BLE reconnections using two critical design weaknesses in BLE stack implementations in Linux, Android, and iOS. Google and Apple also confirmed the flaw.
The BLESA attack targets more often-occurring reconnection processes, therefore it is hard to defend against this attack. Purdue’s team has released a report related to possible improvements in the reconnection procedure. According to them, there is a need to improve the BLE stack implementations and update the BLE specification.