DefCon 2018: Bluetooth Low Energy Sniffing Tool Publicly Available
BLE or Bluetooth Low Energy is an innovation in Bluetooth technology brought about by the mobile device industry. The standard Bluetooth was highly successful in the wireless connection market, but it had one huge setback, it consumes a lot of energy. The mobile devices frequently used by people have very limited battery life, especially since it became a norm that the tablet and smartphone batteries are no longer user-replaceable. BLE is the industry’s answer to the battery consumption problem for a Bluetooth device, and the rest is history, right?
Unfortunately, it seems like the story does not end there for BLE. On Aug 11, 2018, in the DefCon hacking conference, a nasty vulnerability affecting BLE peripheral devices is announced. The exploit, as demonstrated by Damien Cauquil, a long-time security researcher is called the Btlejacking attack. The weakness is with the Bluetooth Low Energy device under Bluetooth versions 4.0 to 5.0, now known as CVE-2018-7252. The sniffing attack can be accomplished within the five-meter radius of the BLE device. Cauquil released the sniffing tool in a GitHub site, to enable everyone to check if their device is affected by the exploit.
“It’s time to improve the BLE arsenal. The BLE specification provides a mechanism for secure connections. We need a tool that can sniff existing and new connections, uses cheap hardware and is open source. The fun fact is the peripheral still gets packets back from the central device, so it’s not actually disconnected. Then we can have some fun,” explained Cauquil.
CVE-2018-7252 enables a cybercriminal using a cheap $15 gadget and a few lines of open source code to hijack the operations of the BLE device. The snipping tool and the cheap gadget can jam the BLE signal and sniff the data out of the BLE device. Btlejacking takes advantage of the BLE’s functionality of keeping the connection alive during a time-out period, opening a chance for the attacker to connect to the Bluetooth device unhampered.
Once taken over, the Bluetooth Low Energy device will no longer ask for user authentication creating an environment prone to information leakage. The attack can use different payloads, as the attackers can inject any packets that they want to the affected BLE device. Users are highly recommended enabling BLE Secure Connections packet injection protection feature everytime they use a BLE device as a mitigation policy.