The Bluetooth Low Energy (BLE) protocol ubiquitouslyenables energy-efficient wireless communication amongresource-constrained devices.
To ease its adoption, BLE re-quires limited or no user interaction to establish a connectionbetween two devices. Unfortunately, this simplicity is the rootcause of several security issues.In this paper, we analyze the security of the BLE link-layer,focusing on the scenario in which two previously-connecteddevices reconnect.
Based on a formal analysis of the reconnec-tion procedure defined by the BLE specification, we highlighttwo critical security weaknesses in the specification. As a re-sult, even a device implementing the BLE protocol correctlymay be vulnerable to spoofing attacks.To demonstrate these design weaknesses, and further studytheir security implications, we develop BLE Spoofing Attacks(BLESA).
These attacks enable an attacker to impersonate aBLE device and to provide spoofed data to another previously-paired device.BLESAcan be easily carried out against someimplementations of the BLE protocol, such as the one used inLinux. Additionally, for the BLE stack implementations usedby Android and iOS, we found a logic bug enablingBLESA.
We reported this security issue to the affected parties (Googleand Apple), and they acknowledged our findings.