Academic researchers have uncovered security vulnerabilities in Bluetooth Classic that allows attackers to spoof paired devices: They found that the bugs allow an attacker to insert a rogue device into an established Bluetooth pairing, masquerading as a trusted endpoint. This allows attackers to capture sensitive data from the other device. The bugs allow Bluetooth Impersonation Attacks (BIAS) on everything from internet of things (IoT) gadgets to phones to laptops, according to researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in France. The flaws are not yet patched in the specification, though some affected vendors may have implemented workarounds.
Security vulnerabilities like this Bluetooth vulnerability should reinforce the need among developers to require strong encryption for any data connection between devices. This will prevent bad actors from intercepting or impersonating connections between devices to steal precious personal data, such as that being shared by COVID-19 contact-tracing apps.
As some phone manufacturers may have updated their devices to fix the Bluetooth security issue, this drives home the need for device users to keep their devices updated to the latest available operating system version.
This is an interesting flaw that has been discovered, and one for which vendors should seek to provide patches for.
However, the saving grace for many is that in order to work, the attacker has to be within Bluetooth range. This significantly limits the types of attacks that can be conducted, and requires the attacker to more or less be physically present. For most organisations, this reduces the risk and will likely be a lower priority to fix.