Billions of Devices Vulnerable To New 'BLESA' Bluetooth Spoofing Attack

An anonymous reader writes: "Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed over the summer," reports ZDNet. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol, and affects the reconnection process that occurs when a device moves back into range after losing or dropping its pairing. A successful BLESA attack allows bad actors to connect with a device (by getting around reconnection authentication requirements) and send spoofed data to it. In the case of IoT devices, those malicious packets can convince machines to carry out different or new behavior. For humans, attackers could feed a device deceptive information. BLESA impacts billions of devices that run vulnerable BLE software stacks. Vulnerable are BLE software libraries like BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack. Windows' BLE stack is not impacted.

Re:

[douglasfir77]

"Windows' BLE stack is not impacted." So ironic!

Re:

[Anonymous Coward]

It's a bit disingenuous to say Microsoft isn't affected. The paper doesn't even mention testing the Microsoft BLE stack.

That sucks...

[aaarrrgggh]

Pretty much everything is built around bluez, and much of the stuff is not easy/possible to update.

Re:That sucks...

[rtb61]

I never turn it on, unless I want to specifically use it and when finished I turn it off, same as wireless. Both always annoyingly trying to connect, so off, unless I specifically want a temporary connection. I find airport mode quite useful and forget it is on, only switching it off to make a call, to connect to the world without the world connecting to me. Although you still can not keep out top level hackers (with the built in google backdoors) who will run you phone battery flat listening in on every single fucking thing (really annoying battery and data constantly gone, for many months and then it stops, nothing changed by me but definitely changed, battery life back to over a day after a drop to around six hours, phone constantly phoning home apparently, yeah Google built in backdoors to android and do not believe otherwise).

Re:

[Anonymous Coward]

Amature. I wrap my phone in tin foil.

Re:

[aaarrrgggh]

That is fine for devices you have full control over, but the reality is so many devices you don’t actually have any control over the bluetooth functions and they really are well established for a back door. A NUC or Pi is easy, but the many routers with undocumented bluetooth interfaces is staggering, not to mention all the IoT crap. What you once were able to sandbox now has so many different interfaces that it is a lost battle. The day a widescale Espressif exploit is discovered we are all doomed

Re:

[AmiMoJo]

If you are finding your phone drains the battery as it records everything you say then you have a severe malware infection. You are probably being targeted by a state level actor because nobody has ever found evidence of a criminal gang doing that kind of thing - it's just too much effort to receive and process the data compared to the meagre rewards and the fact that there are much more profitable options if they already completely own your phone.

Anyway these days there are more reasons to keep Bluetooth e

Android Greentooth

[emil]

An app exists on F-Droid to shut down Bluetooth after a period of inactivity, with optional notification and delay settings.

This app is named Greentooth.

Greentooth URL

[emil]

https://f-droid.org/en/package... [f-droid.org]

Doesn't matter over 90% of the time

[raymorris]

87% of the tested BLE devices didn't even use encryption (pairing) anyway. So this issue doesn't apply - these gadgets can obviously be spoofed and eavesdropped by design.

Of the 13% that DO use pairing, for how many those does it matter?

Note this is not a Bluetooth issue, it's limited to BLE, devices such as the Tile keychain that lets you know you left your keys behind. From memory, Tile *does* pair, so somebody could spoof it and make my phone think my keys are nearby when they actually aren't. Scary h

I really did wake up in Bizarro World this morning

[DontBeAMoran]

Vulnerable are BLE software libraries like BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack. Windows' BLE stack is not impacted.

Does this not seem like the complete opposite of what you were expecting?

yep, kinda surprised

[JcMorin]

Open source leave everyone see the bugs, I guess that was a VERY subtle issue.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

My 6 year old OnePlus One has no issues with Bluetooth pairing. It's been fixed for a long time.

So much for the Apple Watch 6 I guess

[DontBeAMoran]

Who's going to buy a flawed brand-new device?

Sent from my 2010 Mac mini.

Bluetooth was a mistake.

[Narcocide]

I'm getting tired of seeing the future.

Headphones

[Cmdln Daco]

I am glad that I use wired headphones so I seldom have bluetooth on.

BlueZ is not vulnerable - gatttool is

[vudentz]

Great, not only BlueZ end up as the first mentioned as vulnerable but there is no mention whatsoever that is one of the very few that do employ encryption right from the beginning when used with non-deprecated tools.

Car bluetooth? Where's the car recall?

[will4]

Wouldn't there be a massive 20,000,000 car recall if the car industry gets hit by this?

Taking over an adjacent car at highway speeds by driving alongside it with a laptop

Why no massive recall for consumer and industrial electronics? Why always a software patch and no way to use a lemon law to return the product for a full refund.

Re:

[martynhare]

Many cars use operating systems like QNX which isolate components, so that a bug in the entertainment system doesn't take out the speedometer and diagnostics. Those that don't keep systems physically, rather than logically isolated.

I Always Think It's Like Running Java

[buravirgil]

You know? The perceptible delay the whole system experiences when a Java app kicks in? BlueTooth is possessed by inexplicable delays that are never the same twice to my spider senses. I stopped running WAN and BlueTooth at the same time because I'm convinced the "trickle" rate of transmission BlueTooth asserted with its patents began "phoning home" a loooong time ago. And network services were designed to relay asynchronous transmission that evolved to synchronous through apps where it's desired, like maps.