Attack on ble devices allows attacker to take over unsecured connection
Security researcher Damien Cauquil showed off an attack at Def Con that allowed him to take over an unsecured connection between two Bluetooth low energy devices. According to him, this method works on all versions of ble.
Cauquil said he discovered the possibility of his attack when he was reviewing the bluetooth specs while writing new software. He discovered a feature called supervision timeout, where the connection between two devices, for example a phone and a smartwatch, is broken after a while if no more valid packets are exchanged between the devices. This function is used with both the central device, in this example the smartphone, and the peripheral device.
He managed to turn the presence of this capability into an attack by jamming specific packets sent by the peripheral device. At some point, the connection will drop due to the predetermined time-out. He was then able to connect to the peripheral device himself and thus take over the connection. According to the researcher, an attacker must be within range of the device, at a maximum distance of about five meters. In the future, this distance could possibly become even greater due to improvements within bluetooth.
Its attack on the vulnerability, denoted CVE-2018-7252, is possible in versions 4, 4.1, 4.2 and 5 of ble. He has named his attack Btlejack. However, countermeasures can be taken, such as using a secure Bluetooth connection or verifying traffic at the application level. However, this would be up to manufacturers to implement. He demonstrated his attack on a drone and on a sex toy.
For the attack, he used self-developed software, which also bears the name Btlejack and can be found on GitHub. He also shared the hardware he used for the attack. It consisted of four micro:bits grouped into a cluster using a ClusterHat v2.
Illustration of triggering a timeout