Billions of Bluetooth devices are vulnerable to attack according to new research, leaving business data on mobile devices and IoT systems open to compromise by attackers. Being aware of this is one thing, successfully protecting is a whole other challenge…

A group of researchers recently revealed a new vulnerability in the implementation of the Bluetooth protocol in a vast range of devices, leaving enterprise security teams facing a difficult quandary.

The team of seven academics from Purdue University were investigating the Bluetooth Low Energy (BLE) protocol, and specifically the "reconnection" process, which has rarely had focus.

They exposed a concerning vulnerability when devices that had already authenticated each other lost connection then reconnected. Effectively authentication during the device reconnection is optional instead of mandatory, and entirely avoidable if the user device doesn’t force the IoT device to authenticate. This opens the door to a ‘BLESA attack’, or Bluetooth Low Energy Spoofing Attack.

A local attacker can sidestep authentication then send spoofed data to a BLE device, which can attack IoT systems. The research added: “These weaknesses, in some BLE stack implementations, allow an attacker to launch a spoofing attack in which the attacker pretends to be a previously-paired server device, inducing a client device into accepting spoofed data.”

The vulnerable BLE software stacks are thought to be endemic, with the researchers originally estimating the number of devices using them in the billions, including devices using BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack. Apple has subsequently fixed the bug under CVE-2020-9770, and the Linux BlueZ development team plan to deprecate and replace the code responsible.

Patchwork problems
Chris Hauk, consumer privacy champion at Pixel Privacy said that the scale of the vulnerability would present challenges for enterprise security teams: “This recent flaw appears to affect users of numerous devices, including iOS and Android. Unfortunately, as it has been with previous Bluetooth bugs, system admins face a nightmare of attempting to patch all vulnerable devices, and that's only if there is a patch available. It is also unfortunate that standard users of mobile and other devices may not patch their devices if and when a patch becomes available."

As well as a potential threat to enterprise mobile devices in general, the wider issue affected IoT devices, which may be physically inaccessible, incapable of OTA (over the air) patching, and manufacturers may not even support them. Javvad Malik, security awareness advocate at KnowBe4 said: “Organisations should assess the risk according to their environments and look to put in place a patching schedule as appropriate. Perhaps, the biggest risk will come in the form of IoT devices that can't be patched at all.

“It highlights some of the complexity, and challenges when there are many parties involved in the supply chain from hardware, software, assembly, and sale. Which is why it can be so difficult to identify who is responsible for providing patches, and why some form of regulation, particularly around IoT devices may be needed to help instill the need, and hopefully breed a culture of security."

Targeted teething
Although the BLESA flaw impacts potentially billions of devices, it differs from other widespread vulnerabilities in common protocols and/or hardware such as Heartbleed, Meltdown and Spectre; it is restricted by the limited range of Bluetooth devices. This makes targeted attacks the likely result, rather than widespread business compromise.

As John Stock, product manager at Outpost24 told SC Media UK, the key for businesses and enterprises is to try and understand the potential impact on the business. “As an example, with BLESA, is there a company policy in place which forbids the use of Bluetooth devices? Although it's likely that 100% won’t be following this, it will significantly reduce the risk.”

He says that cyber-security leaders need to understand how best to mitigate the risk dependent on business needs. “Again in the BLESA example, if this has an effect on the CEO using his wireless headset, then maybe the simplest and safest workaround is to hand the CEO a wired headset and an explanation as to why.”

The role of the security team to support the business is one that’s easily forgotten, he adds and stepping back and looking at how to mitigate the risk “while still enabling the business is the best way to start when a technical fix is not available”.

While patching such widespread vulnerabilities is a substantial challenge, recent years have seen successful industry-wide collaborations to combat some of the most egregious examples.

The Heartbleed OpenSSL vulnerability saw the industry work together to resolve the threat to internet encryption as a whole, while more recent collaboration to research, document and patch Meltdown and Spectre vulnerabilities has seen engagement from a laundry list of names including Microsoft, HP, IBM, Google, Apple, Intel, Arm, Nvidia, AMD and Cisco.