BLESA .. Bluetooth Disguised

The improper BLE reconnection procedure has made billions of Android and iOS devices vulnerable to the new attack dubbed Bluetooth Low Energy Spoofing Attack (BLESA).

Two critical security flaws in the BLE link-layer authentication mechanism expose Bluetooth devices to the BLESA attack.
These weaknesses allow an attacker to impersonate a BLE server device and provide spoofed data to another previously paired device.

Researchers have found that multiple software stacks (more than one billion BLE devices and 16,000 BLE apps) such as BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack could be exploited using the BLESA flaw.
Additionally, researchers found a related implementation vulnerability (CVE-2020-9770) in the Android and iOS BLE stacks that makes these two stacks vulnerable against BLESA.

Earlier this month, another vulnerability dubbed BLURtooth was found in a Cross-Transport Key Derivation (CTKD) component of Bluetooth. By setting up two different sets of authentication keys for both the BLE and Basic Rate/Enhanced Data Rate (BR/EDR) standard, it lets attackers overwrite Bluetooth authentication keys.

In July, researchers reported an authentication bypass in BLE reconnections using two critical design weaknesses in BLE stack implementations in Linux, Android, and iOS. Google and Apple also confirmed the flaw.

Escape route

The BLESA attack targets more often-occurring reconnection processes, therefore it is hard to defend against this attack. Purdue’s team has released a report related to possible improvements in the reconnection procedure. According to them, there is a need to improve the BLE stack implementations and update the BLE specification.

It’s Blurtooth đź’™ Not bluetooth

A vulnerability in the ubiquitous Bluetooth wireless standard could enable hackers to connect to devices remotely in a given area and access users’ applications dubbed Blurtooth

Bluetooth is found in billions of devices worldwide ranging from smartphones to “internet of things” gadgets. In the consumer technology world, it’s commonly used to power short-range connections for tasks such as pairing wireless earbuds with a handset. Bluetooth also supports longer-range data transfer over distances of as much as several hundred feet, a range that hackers could potentially exploit using Blurtooth to launch attacks.

The vulnerability harnesses a weakness in the way Bluetooth verifies the security of connections. Normally, a user must manually approve a connection request before their device is linked to another system, but Blurtooth makes it possible to circumvent this defense.

A hacker can configure a malicious system to impersonate a Bluetooth device that the user had already approved, such as their wireless earbuds, and gain access to the Bluetooth-enabled apps on the user’s machine.

Blurtooth attacks rely on a built-in Bluetooth security feature known as CTKD. Normally, this feature is used to help encrypt connections. Hacker could exploit it to hijack the authentication key of a previously approved device, which is what makes it possible to impersonate legitimate endpoints, and thereby circumvent the need for the user to approve inbound connections.

The limited wireless range of Bluetooth reduces the threat posed by the vulnerability. The two editions of the technology affected, Low Energy and Basic Rate, only support connections over distances of up to 300 or so feet.

The widespread support for those two Bluetooth editions in consumer devices means that a large number of endpoints could potentially be vulnerable.

All devices using Bluetooth versions 4.0 through 5.0 are affected. The newest 5.2 version, which isn’t yet widely adopted, apparently isn’t vulnerable, while the 5.1 release has certain built-in features that device makers can turn on to block Blurtooth attacks.