Low Impact But Often Impossible To Patch
Ah, the Internet of Things. Once again the new ubiquitous computing solution demonstrates the repercussions of flooding the market with cheap internet connected toasters, BBQs and cup warmers with nary a thought towards security. The newly publicized Bluetooth Low Energy Spoofing Attack describes a vulnerability present on billions of devices, many of which have no process to be able to install a patch.
The vulnerability takes advantage of lazy coding and vague wording in the BLE specification which allowed that code to pass review. The verbiage does not make it clear that the devices must authenticate again after moving out of range of a connection and so many manufactures considered it to be optional and their devices don’t bother to.
The good news for your larger devices is the the Windows BLE stack is immune, Apple pushed a patch to any device capable of updating back in June and many Linux based devices can be made immune by simply deprecating a piece of the code running on the device. Your phone is not really the issue here however as it is your baby monitor, your dead Amazon Dash button still kicking around, your home security system and who knows how many devices in hospitals.
As these lower cost IoT devices were never designed to be patched and as all too many have discovered, only supported by the manufacturer for a few years, there will be billions of devices vulnerable to this attack. It hasn’t been seen in the wild by the researchers Slashdot linked to but it is only a matter of time before someone figures out a way to make use of it. Devices may end up on a bot net, or video and audio signals redirected or any of a number of things that a creative dastard might come up with.
Has there been a more egregious misnomer than smart devices in the recent past?
For humans, attackers could feed a device deceptive information. BLESA impacts billions of devices that run vulnerable BLE software stacks. Vulnerable are BLE software libraries like BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack. Windows' BLE stack is not impacted.