Bluetooth Reconnection Issues Leave the Door Open for BLESA Attack

In past years, various battery-powered devices have adopted the Bluetooth Low Energy (BLE) protocol due to its battery-saving features. This near-ubiquitous technology has been found vulnerable against a newly discovered attack.


The BLESA attack

The improper BLE reconnection procedure has made billions of Android and iOS devices vulnerable to the new attack dubbed Bluetooth Low Energy Spoofing Attack (BLESA).
  • Two critical security flaws in the BLE link-layer authentication mechanism expose Bluetooth devices to the BLESA attack. 
  • These weaknesses allow an attacker to impersonate a BLE server device and provide spoofed data to another previously paired device.
  • Purdue University researchers have found that multiple software stacks (more than one billion BLE devices and 16,000 BLE apps) such as BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack could be exploited using the BLESA flaw.
  • Additionally, researchers found a related implementation vulnerability (CVE-2020-9770) in the Android and iOS BLE stacks that makes these two stacks vulnerable against BLESA.


Recent threats

The design weaknesses and implementation flaws in the Bluetooth stacks have caused several security issues in recent times.
  • Earlier this month, another vulnerability dubbed BLURtooth was found in a Cross-Transport Key Derivation (CTKD) component of Bluetooth. By setting up two different sets of authentication keys for both the BLE and Basic Rate/Enhanced Data Rate (BR/EDR) standard, it lets attackers overwrite Bluetooth authentication keys.
  • In July, researchers reported an authentication bypass in BLE reconnections using two critical design weaknesses in BLE stack implementations in Linux, Android, and iOS. Google and Apple also confirmed the flaw.


Mitigation of BLESA

The BLESA attack targets more often-occurring reconnection processes, therefore it is hard to defend against this attack. Purdue’s team has released a report related to possible improvements in the reconnection procedure. According to them, there is a need to improve the BLE stack implementations and update the BLE specification.