Bluetooth vulnerability leaves smart home devices vulnerable to hackers
Image credit: Dreamstime
A design flaw has been discovered in Bluetooth Low Energy (BLE) devices that makes them vulnerable to hacking, according to Ohio State University researchers.
Bluetooth Low Energy (BLE) has seen widespread inclusion in most modern gadgets since its release in 2012. It allows gadgets to communicate more efficiently than previous versions of the wireless technology.
Typical gadgets that use it, such as wearable health and fitness trackers, smart thermostats and smart speakers will first communicate with the apps on your mobile device by broadcasting something called a UUID - a universally unique identifier.
That identifier allows the corresponding apps on your phone to recognise the Bluetooth device, creating a connection that allows your phone and device to talk to one another.
That identifier itself is also embedded into the mobile app code. Otherwise, mobile apps would not be able to recognise the device. However, the UUIDs found in apps also make the devices vulnerable to a fingerprinting attack, the researchers have found.
“There is a fundamental flaw that leaves these devices vulnerable - first when they are initially paired to a mobile app and then again when they are operating,” said associate professor Zhiqiang Lin, who is leading the research. “While the magnitude of that vulnerability varies, we found it to be a consistent problem among BLE devices when communicating with mobile apps.
“At a minimum, a hacker could determine whether you have a particular Bluetooth device, such as a smart speaker, at your home by identifying whether or not your smart device is broadcasting the particular UUIDs identified from the corresponding mobile apps.
“In some cases in which no encryption is involved or encryption is used improperly between mobile apps and devices, the attacker would be able to ‘listen in’ on your conversation and collect that data.”
He said the problem should be “relatively easy to fix” and the team has made recommendations to app developers and Bluetooth industry groups.
After the researchers discovered the flaw, they wanted to see how widespread it might be in the real world. They built a 'sniffer' - a hacking device that can identify Bluetooth devices based on the broadcasting messages sent by the devices.
“The typical understanding is that Bluetooth Low Energy devices have signals that can only travel up to 100m,” Lin said. “We found that with a simple receiver adapter and amplifier, the signal can be ‘sniffed’ (or electronically found) much farther - up to 1,000m away.”
They then drove the 'sniffer' around a 1.28-square-mile area near Ohio State’s campus to field-test the vulnerability.
They found more than 5,800 BLE devices. Of those, about 5,500 (94.6 per cent) were able to be 'fingerprinted' (or identified) by an attack, while 431 (7.4 per cent) were vulnerable to unauthorised access or eavesdropping attacks.
Those that were vulnerable to unauthorised access had issues with the initial 'fingerprinting' between device and phone app that put them at risk of hacking.
“It was in the initial app-level authentication, the initial pairing of the phone app with the device, where that vulnerability existed,” Lin said. If app developers tightened defenses in that initial authentication, he said, the problem could be resolved.
The team created an automated tool to evaluate all of the BLE apps in the Google Play Store, numbering approximately 18,166 at the time of their research.
In addition to building the databases directly from mobile apps of the Bluetooth devices in the market, the team’s evaluation also identified 1,434 vulnerable apps that allow unauthorised access. “It was alarming,” Lin said. “The potential for privacy invasion is high.” Their analysis did not include iOS apps from the Apple Store.
The most recent version of Bluetooth, Bluetooth 5, came out in 2016 and quadrupled the range of the previous iteration, doubled the speed and had an 800 per cent increase in data broadcasting capacity.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.