Billions of smartphones and other devices are vulnerable to the newly disclosed "BLESA" Bluetooth flaw, but Apple already issued an iOS patch for it in April 2020.
The vulnerability, dubbed Bluetooth Low Energy Spoofing Attack (BLESA), affects devices running the Bluetooth Low Energy (BLE) protocol — including smartphones, laptops, tablets, and IoT devices. Apple patched it, however, in iOS 13.4 and iPadOS 13.4.
First discovered by a research project at Purdue University, the vulnerability lies in the reconnection process of the BLE specification.
When two BLE devices have already paired and authenticate each other, the standard allows them to easily reconnect when they move out of and back into range of each other. In theory, the two devices should re-check each other's cryptographic keys during the reconnection process.
The researchers at Purdue found that the protocol contains a few weak links in its language. For one, authenticating during reconnection is optional and not mandatory. More than that, the authentication could be circumvented if it is applied.
As a result, an attacker could bypass reconnection authentication and spoof an existing BLE connection. That could allow a bad actor to intercept Bluetooth traffic, or carry out other malicious attacks.
Who is at risk for BLESA attack?
Based on BLE usage statistics, the researchers estimate that the number of vulnerable devices is in the billions.
Not all BLE stacks are affected by the vulnerability, however. Windows devices are immune, for example. Linux-based laptops and IoT devices are impacted, as are Android devices.
Apple's iOS is affected in versions before iOS 13.4. Researchers claimed to be unable to test the vulnerability in macOS, but it typically get the same mitigations that iOS does.
Users running an older version of iOS install the latest available update to prevent the exploit.