Bluetooth Bugs Allow Impersonation Attacks on Legions of Devices – Experts Reaction

Academic researchers have uncovered security vulnerabilities in Bluetooth Classic that allows attackers to spoof paired devices: They found that the bugs allow an attacker to insert a rogue device into an established Bluetooth pairing, masquerading as a trusted endpoint. This allows attackers to capture sensitive data from the other device. The bugs allow Bluetooth Impersonation Attacks (BIAS) on everything from internet of things (IoT) gadgets to phones to laptops, according to researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in France. The flaws are not yet patched in the specification, though some affected vendors may have implemented workarounds.

Experts Comments

May 21, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
Security vulnerabilities like this Bluetooth vulnerability should reinforce the need among developers to require strong encryption for any data connection between devices. This will prevent bad actors from intercepting or impersonating connections between devices to steal precious personal data, such as that being shared by COVID-19 contact-tracing apps. As some phone manufacturers may have updated their devices to fix the Bluetooth security issue, this drives home the need for device users to .....Read More
Security vulnerabilities like this Bluetooth vulnerability should reinforce the need among developers to require strong encryption for any data connection between devices. This will prevent bad actors from intercepting or impersonating connections between devices to steal precious personal data, such as that being shared by COVID-19 contact-tracing apps. As some phone manufacturers may have updated their devices to fix the Bluetooth security issue, this drives home the need for device users to keep their devices updated to the latest available operating system version.  Read Less
May 21, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
This is an interesting flaw that has been discovered, and one for which vendors should seek to provide patches for. However, the saving grace for many is that in order to work, the attacker has to be within Bluetooth range. This significantly limits the types of attacks that can be conducted, and requires the attacker to more or less be physically present. For most organisations, this reduces the risk and will likely be a lower priority to fix.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.