Billions of devices vulnerable to new 'BLESA' Bluetooth security flaw

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
6,408
"Sadly, just like with all the previous Bluetooth bugs, patching all vulnerable devices will be a nightmare for system admins, and patching some devices might not be an option.

Some resource-constrained IoT equipment that has been sold over the past decade and already deployed in the field today doesn't come with a built-in update mechanism, meaning these devices will remain permanently unpatched.

Defending against most Bluetooth attacks usually means pairing devices in controlled environments, but defending against BLESA is a much harder task, since the attack targets the more often-occurring reconnect operation.

Attackers can use denial-of-service bugs to make Bluetooth connections go offline and trigger a reconnection operation on demand, and then execute a BLESA attack. Safeguarding BLE devices against disconnects and signal drops is impossible.

Making matters worse, based on previous BLE usage statistics, the research team believes that the number of devices using the vulnerable BLE software stacks is in the billions.

All of these devices are now at the mercy of their software suppliers, currently awaiting for a patch.

Additional details about the BLESA attack are available in a paper titled "BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy" [PDF, PDF]. The paper was presented at the USENIX WOOT 2020 conference in August. A recording of the Purdue team's presentation is embedded below."


https://www.zdnet.com/article/billions-of-devices-vulnerable-to-new-blesa-bluetooth-security-flaw/
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
30,641
FFS.

Really getting tired of hardware attacks.

I want to go back in time, find the guy who said "hey, you know how we keep finding software vulnerabilities? Why haven't we looked at hardware?" and zap him with a lightning bolt.

This is starting to turn into a serious nuisance.

Luckily I don't use bluetooth too much. Only place is my car for phone calls. I kind of like it there though...
 
Top