14 DAY TRIAL // An attack on Bluetooth 4, or Bluetooth Low Energy (LE), exposes millions of Bluetooth-enabled devices, to hijacking at the hands of malevolent actors. This is the conclusion of a research paper called GATTacking Bluetooth Smart Devices and authored by SecuRing security researcher Slawomir Jasek.
Because of its low-energy consumption, Bluetooth LE has become one of the favorite methods of having an IoT device talk to its paired device, usually a smartphone or tablet, running a specially built application.
Attack allows crooks to get an MitM position in Bluetooth LE connections
At the Black Hat security conference that took place last week, Jasek presented a new attack on the Bluetooth LE protocol that allows an attacker to spoof some of its lower levels of communications, which occur before a device has been authenticated and paired to an app via cryptographic operations.
This way, the attacker can gain an MitM (Man in the Middle) position between the Bluetooth LE device and the app. To prove that such a scenario can happen and to help others test their products, Jasek has created a tool to carry out such attacks, called GATTacker, which he open-sourced on GitHub.
In section 4.1.1 of his research paper, Jasek details some real-world scenarios where a GATTack could be used.
Attack has real-world applicability
For example, in the scenario of a smart home, an attacker could tell a user's app that their IoT home automation system is off and disconnect the user's app from the house's management features, leaving the home owner unable to control their house (Yes, like in that "Mr. Robot" episode).
The same feature, to disconnect apps from their devices, can be used to shut down anti-theft systems, either for homes or smart luggage locks.
Additionally, GATTacks can also be used to inject and overwrite existing commands. Imagine a smart car locking system. The user sends a lock command, but the attacker intercepts it and switches to unlock, keeping the car open and ready for the taking. Many other more attacks are possible.
Jasek says that, for a GATTack to take place, the crook needs to be close to both of the attacked devices: the IoT device and the victim's smartphone. If the attacker uses malware to infect the smartphone, they may not need to be close the victim.
The researcher says that if manufacturers want to protect their devices from GATTacks, they need to use the BLE encryption, bonding, random MACs properly, beware of misconfigurations, and not to implement static passwords.