It looks like there’s a new and serious problem with Bluetooth security. Not some Bluetooth security, but (right now at least), ALL Bluetooth security.
And while it’s unlikely to impact the average person (yet), it does show the need for consumers to take product support into account when buying tech products.
BIAS: Bluetooth Impersonation
Unfortunately, the flaw isn’t just in some old version of the Bluetooth protocol. It’s also not just in the newest Bluetooth version (5.2 as I write this), it’s in the Bluetooth Core Specification, meaning that every Bluetooth device is vulnerable.
I’m not going to go into the specifics of the vulnerability (this excellent white paper covers it better than I ever could), but the 2-minute version is:
- An attacker knows the Bluetooth address of your phone (when Bluetooth is on, this address is constantly being broadcast).
- Your phone has previously connected successfully to a Bluetooth-enabled device (like a smart home door lock).
- By taking advantages of certain features of the Bluetooth protocol, an attacker can impersonate your phone’s Bluetooth address and request a Bluetooth connection from the previously-connected device (like the smart home door lock).
- Since the previously-connected device (door lock) recognizes the (spoofed) Bluetooth address, it connects and performs whatever function is requested of it.
As far as Bluetooth vulnerability, this is just about as bad as it gets. However, this attack does require some specialized hardware and software to implement. It should also be fixed in the (hopefully near) future, since the problem is out in the open now.
Once the problem is patched in a newer version of Bluetooth, this means that devices running the updated version of Bluetooth will be protected.
The Big(ger) Problem
But there’s one big problem with that…getting devices updated.
Getting the Bluetooth software updated is (relatively) easy. Once that software is updated, then the real challenge starts.
- How many device manufacturers will take the time to issue software updates for devices currently on sale?
- How many manufacturers will issue updates to vulnerable devices that were sold months or years ago? Especially things like door locks, cameras, and other IoT devices.
- Of those devices running vulnerable versions of Bluetooth, how many are updateable by the end user? Can any of these devices update themselves?
- Of those manufacturers who offer manual updates to older hardware, how many users will know and take the necessary steps to update their devices?
Given what we’ve seen with much more expensive devices (like Android phones and PCs running Windows), I think it’s safe to say that a majority of these Bluetooth devices will never be secure. And this is the real risk run by unsuspecting users buying cheap hardware.
Simply put, many companies that sell this stuff will disappear after 6-18 months and be replaced by a different company selling the same (or nearly the same) product. Of course, the new company won’t support the older company’s products (nor should they), and this means the old products simply stay vulnerable.
(Incidentally, I see the same thing happen in musical instruments. While there are some good Chinese-made horns, the vast majority of them are terrible, and they are coming out with new brand names all the time. It’s honestly easier to tell people the few good brands to look for rather than try and keep up with the ever-increasing number of junk brands.)
These never-patched vulnerabilities wouldn’t be a huge problem, except that having even one vulnerable IoT or Internet-connected product on your network can be a huge risk.
It wasn’t very long ago that Phillips Hue bulbs had a (now patched) vulnerability that gave attackers access to an entire network through a compromised bulb and bridge. Hue patched that vulnerability (and most systems updated automatically), but this should be a reminder to only buy from manufacturers you trust.
This is why I stay away from many of the cheaper Bluetooth and IoT offerings on Amazon.
While you may save $5 on a light bulb or $25 on a door lock, if the maker will not patch a vulnerability in their software, then you’re running a risk just by having a vulnerable device on your network.