Researchers at Purdue University have discovered a flaw in Bluetooth Low Energy technology, that affects billions of devices having this feature. Named as BLESA, the flaw found in Bluetooth Low Energy’s Reconnection process can let an attacker to send spoofed data and automate few processes in the target’s device. Makers of IoT devices with tech and no option to patch are more vulnerable.
A Critical Bluetooth Security Issue!
There have been a number of security researches made on Bluetooth technology, but most of them are related to the pairing process and have left a critical corner. Researchers at Purdue University have documented a flaw in Bluetooth Low Energy (BLE), which they claim to give hackers a chance to barge into other devices with spoofed data.
Bluetooth Low Energy is a slimdown version of standard Bluetooth, which functions similar to it for data sharing but uses less energy. Since it’s so optimal, several manufacturers have embedded this Low Energy version to all their devices that are powered by a battery. But, the “Reconnection” part of this technology has a critical flaw, as said by researchers.
The specifications of BLE tech were loosely written in few instances, where researchers noted that devices reconnecting after being disconnected for a while doesn’t need authentication, or at least can be circumvented if the user’s device fails to enforce the device to authenticate the communicated data. In actuality, the reconnecting devices need to authenticate each other with cryptography keys.
This flaw can let an attacker bypass authentication and send spoofed data to automate processes. Researchers said the Android devices running Fluoride stack, Linux-based IoT devices running on BlueZ stack and iOS BLE are vulnerable to BLESA attacks. An exception here is the Windows machines running a different BLE stack.
