Do you have a phone, tablet, or laptop in your home?
Or perhaps the better question is, how many of those devices do you have? Whatever your number is, be aware that researchers have unearthed a potentially devastating Bluetooth flaw that leaves billions of devices all over the planet vulnerable.
The recently discovered vulnerability has been dubbed 'BLESA', which stands for Bluetooth Low Energy Spoofing Attack, and it impacts any device that runs the Bluetooth Low Energy (BLE) protocol. BLE is a slimmed-down of the original Bluetooth Classic standard protocol and was developed mostly to conserve battery power while maintaining Bluetooth connections over long periods of time.
BLE protocol is everywhere
The fact that the lightweight protocol is so power-friendly has caused it to spread like wildfire around the globe, and these days, you can find BLE protocol in just about everything.
That's great, but it also comes at a cost. Any flaws found in such a widely used protocol are nightmares, both in terms of the aggregate risk they represent and in terms of trying to find a workable mitigation and remediation strategy. Unfortunately, that's where we are now. At issue is the reconnection process that devices utilizing the BLE protocol go through. Reconnections occur any time a Bluetooth device moves out of range and then moves back into range later on.
What's supposed to happen upon reconnection
What's supposed to happen in those instances is that the two devices check each other's cryptographic keys negotiated during the initial pairing process. The reality is that the authentication step during reconnection is optional, rather than mandatory. It can be circumvented if the user's device fails to enforce the Internet of Things (IoT) device to authenticate the communicated data.
This makes it possible for a nearby attacker to bypass reconnection verification and send spoofed data to a device using the BLE protocol. Spoofed (erroneous) data leads to erroneous decisions, and that can lead to big problems.
There's no good fix for this because there are billions of potentially impacted devices. Many IoT manufacturers don't bother with security at all, so they're incredibly unlikely to push a fix for the issue to the devices they make, even if one was given to them.
Our perspective
To be clear, this type of attack hasn't been seen in the wild yet. However, given how many vulnerable devices there are, and how unlikely the problem is to be fixed in the current generation of machines, it's just a matter of time. Stay vigilant. It's your only defense in this case.
~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~
By Denis Wilson and Melissa Stockwell
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I'm Denis Wilson, President and Principal Consultant for DWP Information Architects. We build people/process/technology solutions to create better business outcomes for smaller enterprises in Los Angeles. We have created cost-effective office productivity and out-sourced service solutions for over 20 years, focusing principally on manufacturing, professional services, and healthcare. Our hallmarks are cloud and on-premises network reliability, cost-effective cybersecurity, and livable small business regulatory compliance.
I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs. Contact me if you would like me to speak at your association
