A group of researchers at Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS) recently discovered a vulnerability that affects the many IoT devices running Bluetooth.
Bluetooth Low Energy (BLE) is the most widely utilized low-energy communication protocol for mobile and IoT devices. Sales of Bluetooth Low Energy (BLE) devices are forecasted to triple by 2023 to 1.6 billion annual shipments, according to market advisory firm ABI.
BLE devices rely on pairing, a critical procedure, to build trust between two devices when they connect for the first time. Once paired, the reconnections between BLE devices are often transparent to the user. The vulnerability lies in the reconnection procedures for previously paired BLE devices. And reconnections happen frequently in typical usage scenarios, said Jianliang Wu, a PhD student from the PurSec Lab at Purdue University and one of the lead researchers on the project.
Bluetooth devices often move out of range and then move back into range again later, and re-establish a connection with a previously paired devices. All of this goes on without user notification. The research centers on this reconnection process.
“We were intrigued by the fact that the researchers in the prior art had focused on analyzing the security of the one-time pairing procedure, but they had completely overlooked the reconnection procedure between two already paired BLE devices,” said Wu. “We strived to investigate the reconnection procedure for potential security flaws. In our research, we first theoretically analyzed the reconnection procedure by carrying out the formal verification of the connection procedures proposed in the most recent BLE specification.”
The researchers’ analysis revealed two critical design weaknesses of BLE:
- For some BLE devices, the authentication during the device reconnection is optional instead of mandatory.
- For other BLE devices, the authentication can potentially be circumvented if the user’s device fails to enforce the IoT device to authenticate the communicated data.
After discovering the design weaknesses in the BLE specification, the researchers analyzed mainstream BLE stack implementations, including BLE protocol stacks on Linux, Android, iOS and Windows to see if “real-world devices” were vulnerable to the security flaws. Three of the devices tested were determined to be vulnerable because they failed to ensure the connecting IoT device authenticated its data and accepted unauthenticated data.
“This vulnerability has a broad impact on mainstream platforms that support BLE communications, including Linux, Android and iOS,” said Wu. “According to a recent study, more than 1 billion BLE devices do not use application-layer security, which could have provided a second line of defense. At least 8,000 Android BLE apps with 2.38 billion installations read data from BLE devices in plaintext. Similar numbers may apply to iOS apps.”
The researchers conclude that their discovery implies that this vulnerability can potentially affect more than 1 billion BLE devices and 16,000 BLE apps.
|Platform||OS and Version||BLE Stack implementation|
|Google Pixel XL||Android 8.1, 9, 10||Fluoride|
|Apple iPhone 8||iOS 12.1, 12.4, 13.3||iOS BLE stack|
|Linux Laptop||Ubuntu 18.04||BlueZ 5.48|
The researchers have reported the findings to Google and Apple, and both confirmed the flaw. Apple assigned CVE-2020-9770 to the vulnerability. The results of the research will be presented at the 14th USENIX Workshop on Offensive Technologies (WOOT 2020) next month.
How would this play out as an exploit? Wu said an attacker could launch a spoofing attack and impersonate the IoT device, forge malicious data corresponding to the IoT device and feed the forged data to the user’s device.
“Specifically, the design weakness and vulnerabilities allow the attacker to bypass the authentication in BLE reconnections, which can lead to spoofing attacks against the user’s devices,” he said. “In fact, the attacker can easily impersonate all IoT devices’ data that are not protected by application-level authentication.”
That could lead to several scenarios, according to the researchers. For example, malicious keystrokes could be injected into the smartphone or desktop when it reconnects to a BLE keyboard. Or a fake glucose level value can be injected into the smartphone while the user reads data from a BLE glucose monitor. Fake fitness data can be received by the user when it reconnects to a fitness tracker.
The researchers have also released a demo of the attack against a fitness tracker.
To prevent this, both the BLE specification and the current BLE stack implementations in Linux, Android and iOS need to be updated to secure the reconnection procedure. Users should install the most recent version of the firmware to apply the required security patches to fix the vulnerabilities. Apple has fixed the issue in iOS 13.4 and iPadOS 13.4.