Bluetooth Spoofing Bug Affects Billions of IoT Devices
Academic researchers at Purdue University have discovered a vulnerability within Bluetooth Low Energy (BLE) that could allow for spoofing attacks. This bug remains unpatched in Android devices, potentially impacting millions of consumers and billions of IoT devices. The BLE spoofing vulnerability is likely a result of security experts overlooking the process of device reconnection, allowing for a flaw to be left unnoticed. Reconnections occur when two devices are connected and then one moves out of range and then connects again once back within reach.
A successful exploit of this vulnerability would allow threat actors to connect with a device by bypassing reconnection authentication requirements, sending spoofed data to it. In IoT devices, the entire behavior of the machine can be compromised. Attackers could also feed a compromised device deceptive information that is then relayed to the user. The ubiquity of the BLE protocol causes this vulnerability to be particularly significant, affecting billions of devices that have the ability to pair and connect to others.