Bluetooth Reconnection Flaw: Spoofing Risk for IoT Devices

Purdue University security researchers recently discovered a vulnerability affecting IoT devices running Bluetooth which could lead to spoofing attacks. The vulnerability has a broad impact on mainstream platforms that support BLE communications, including Linux, Android and iOS.

Bluetooth Low Energy (BLE) is the most widely utilized low-energy communication protocol for mobile and IoT devices. Sales of Bluetooth Low Energy (BLE) devices are forecasted to triple by 2023 to 1.6 billion annual shipments, according to market advisory firm ABI.

BLE devices rely on pairing, a critical procedure, to build trust between two devices when they connect for the first time. Once paired, the reconnections between BLE devices are often transparent to the user. The vulnerability lies in the reconnection procedures for previously paired BLE devices. And reconnections happen frequently in typical usage scenarios, said Jianliang Wu, a PhD student from the PurSec Lab at Purdue University and one of the lead researchers on the project.