Bluetooth Bugs Allow Impersonation Attacks on Legions of Devices – Experts Reaction

Academic researchers have uncovered security vulnerabilities in Bluetooth Classic that allows attackers to spoof paired devices: They found that the bugs allow an attacker to insert a rogue device into an established Bluetooth pairing, masquerading as a trusted endpoint. This allows attackers to capture sensitive data from the other device. The bugs allow Bluetooth Impersonation Attacks (BIAS) on everything from internet of things (IoT) gadgets to phones to laptops, according to researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in France. The flaws are not yet patched in the specification, though some affected vendors may have implemented workarounds.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Chris Hauk
Chris Hauk , Consumer Privacy Champion
InfoSec Expert
May 21, 2020 7:54 am

Security vulnerabilities like this Bluetooth vulnerability should reinforce the need among developers to require strong encryption for any data connection between devices. This will prevent bad actors from intercepting or impersonating connections between devices to steal precious personal data, such as that being shared by COVID-19 contact-tracing apps.

As some phone manufacturers may have updated their devices to fix the Bluetooth security issue, this drives home the need for device users to keep their devices updated to the latest available operating system version.

Last edited 2 years ago by Chris Hauk
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
May 21, 2020 7:52 am

This is an interesting flaw that has been discovered, and one for which vendors should seek to provide patches for.

However, the saving grace for many is that in order to work, the attacker has to be within Bluetooth range. This significantly limits the types of attacks that can be conducted, and requires the attacker to more or less be physically present. For most organisations, this reduces the risk and will likely be a lower priority to fix.

Last edited 2 years ago by Javvad Malik
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x