Billions of Android phones and smart devices open to attack -- what to do now [updated]

(Image credit: Shutterstock)

UPDATED with news of possible fix for Android devices. This story was originally published Sept. 16, 2020.

Billions of Android smartphones and tablets, Linux PCs and servers, and smart-home and wearable devices are vulnerable to a Bluetooth flaw that could let hackers and pranksters access them without authorization and give the devices false data, academic researchers based at Purdue University in Indiana have found. 

The flaw, named BLESA for Bluetooth Low Energy Spoofing Attack, also affects iOS devices, but Apple patched it with the iOS 13.4 and iPad OS 13.4 updates in March. 

Windows devices are not vulnerable. Lead researcher Jianlang Wu told Tom's Guide that the team was not able to test whether macOS devices might be vulnerable.

"To ease its adoption, BLE [the Bluetooth Low Energy protocol] requires limited or no user interaction to establish a connection between two devices," the researchers wrote in their academic paper. "Unfortunately, this simplicity is the root cause of several security issues."

The researchers said they informed Google of the BLESA flaw in Android in April 2019, but were told that another team had informed Google of the same flaw only three days earlier. Nonetheless, Android 10 running on a Google Pixel XL was "still vulnerable" to BLESA attacks as of June 2020, the researchers said. 

The researchers said many smart-home and wearable devices, including the August smart lock, the Fitbit Versa smartwatch, the Nest Cam Indoor camera and the Nest Protect smoke detector, were also vulnerable to BLESA attacks because they did not properly authenticate previously paired devices. 

Tom's Guide has reached out to Google for clarification regarding Android, and we will update this story when we receive a reply. ZDNet was among the first publications to report this story.

How to protect yourself from BLESA attacks

The BLESA flaw doesn't exist in the older, "classic" versions of Bluetooth that you would use to connect your wireless headphones to your smartphone. Rather, it's in the newer Bluetooth Low Energy (BLE) protocol, which takes up less power and transmits data at a slower rate than regular Bluetooth. 

BLE is ideal for connecting smart-home and wearable devices, such as fitness bands or light bulbs, that don't need to transmit a whole lot of data and whose batteries would be quickly drained by regular Bluetooth.

Unfortunately, most smartphones don't let you turn off BLE while leaving regular Bluetooth on. So to make sure you're not susceptible to BLESA attacks, turn off Bluetooth on your Android phone whenever you're not using it. You should also go into your Bluetooth settings and "forget" any previously paired devices you no longer use.

If you're on an iPhone, simply make sure that you're updated to iOS 13.4 or later. Linux distributions will be patched by replacing a vulnerable BLE software library with one that doesn't have the BLESA issue.

How the BLESA attack works

When you pair one Bluetooth device with another, each device "remembers" the other so that they can reconnect again without having to repeat the pairing process. However, the devices still have to verify their identity to each other when they reconnect. 

The BLESA flaw results when previously paired devices don't properly ask for verification, or don't implement verification properly, during reconnection. An attacker can exploit these shortfalls and gain access to one device while pretending to be the other. The researchers cite figures that estimate that 5 billion devices worldwide will use BLE by 2023.

Using the BLESA flaw, a nearby attacker could pretend to be a device that your phone has already paired with, and connect to your phone. Only one of the two devices needs to have the BLESA flaw. 

"That could lead to several scenarios, according to the researchers," said a posting on the Purdue website. "For example, malicious keystrokes could be injected into the smartphone or desktop when it reconnects to a BLE keyboard. Or a fake glucose level value can be injected into the smartphone while the user reads data from a BLE glucose monitor. Fake fitness data can be received by the user when it reconnects to a fitness tracker."

The attacker would need to know at least some of the identifying features of one of the two devices, but those could be easily obtained by "sniffing" the legitimate Bluetooth traffic between the two devices.

The researchers demonstrated this attack in a video showing an Android phone connecting first with a Oura "smart" ring, then with a laptop pretending to be the Oura ring. The Oura Android app can't tell the difference. (However, the Oura itself was better protected against BLESA than most other wearable devices tested by the researchers.)

"By using BLESA, the attacker successfully impersonates the ring, injects spoofed data to the phone, and the companion application of the ring running on the phone accepts and displays the spoofed data," the academic paper says.

The research team was led by Jianlang Wu and included five of his Purdue colleagues and one researcher from the École Polytechnique Fédérale de Lausanne in Switzerland. They presented their findings during the USENIX WOOT '20 virtual conference in August, during which the team won the award for best paper of the conference. 

You can view their entire USENIX presentation, view their slides or read their research paper online without any restrictions.

Update: Android vulnerability may have been lessened

Later on Sept. 16, lead researcher Jianliang Wu emailed Tom's Guide to alert of us a new statement by the research team.

"We were recently advised by Google that the fix to an earlier CVE (2019-2225) [part of the December 2019 Android security updates] will mitigate BLESA. Due to time constraint, we have not independently verified its effectiveness against BLESA; but we will do so in the near future. We’d like to thank colleagues from Google for sharing this information."

Mitigation isn't a complete fix, but it's something that should reduce the impact of the vulnerability. Tom's Guide has not received any reply from Google regarding the possible BLESA vulnerability in Android Bluetooth Low Energy software.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.