BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy

Authors: 

Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, and Antonio Bianchi, Purdue University; Mathias Payer, EPFL; Dongyan Xu, Purdue University
Awarded Best Paper!

Abstract: 

The Bluetooth Low Energy (BLE) protocol ubiquitously enables energy-efficient wireless communication among resource-constrained devices. To ease its adoption, BLE requires limited or no user interaction to establish a connection between two devices. Unfortunately, this simplicity is the root cause of several security issues.

In this paper, we analyze the security of the BLE link-layer, focusing on the scenario in which two previously-connected devices reconnect. Based on a formal analysis of the reconnection procedure defined by the BLE specification, we highlight two critical security weaknesses in the specification. As a result, even a device implementing the BLE protocol correctly may be vulnerable to spoofing attacks.

To demonstrate these design weaknesses, and further study their security implications, we develop BLE Spoofing Attacks (BLESA). These attacks enable an attacker to impersonate a BLE device and to provide spoofed data to another previously-paired device. BLESA can be easily carried out against some implementations of the BLE protocol, such as the one used in Linux. Additionally, for the BLE stack implementations used by Android and iOS, we found a logic bug enabling BLESA. We reported this security issue to the affected parties (Google and Apple), and they acknowledged our findings.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {257198,
author = {Jianliang Wu and Yuhong Nan and Vireshwar Kumar and Dave (Jing) Tian and Antonio Bianchi and Mathias Payer and Dongyan Xu},
title = {{BLESA}: Spoofing Attacks against Reconnections in Bluetooth Low Energy},
booktitle = {14th USENIX Workshop on Offensive Technologies (WOOT 20)},
year = {2020},
url = {https://www.usenix.org/conference/woot20/presentation/wu},
publisher = {USENIX Association},
month = aug
}

Presentation Video