Researchers from Ohio State University have uncovered a fundamental design flaw in Bluetooth devices, making them vulnerable to hacking. The flaw is detected in the way Bluetooth low energy devices communicate with mobile applications that control them.
With this flaw, a hacker could determine on which particular Bluetooth device a potential target has, by identifying whether or not the smart device is broadcasting a particular UUID, which is identified from its corresponding mobile app.
Elaborating further about this anomaly
- Every Bluetooth device communicates with the mobile application which controls its functions by a unique broadcasting identifier known as UUID.
- The unique identifier is used by the mobile to recognize which Bluetooth device it is communicating with.
- The said identifier is embedded within the code of the mobile device which also makes it vulnerable to hacking by different threat actors.
- The hackers are still able to gather data in scenarios where the encryption is very poor or completely absent.
Assessing the anomaly
To test this issue on how it has been impacting devices in the real world a team of researchers from the university that uncovered this vulnerability conducted a vulnerability test based on the broadcasting messages.
Following were the takeaways from the vulnerability assessment
- Several Bluetooth low energies were identified, from which most of them were found to be vulnerable to either fingerprinting or eavesdropping attack or both.
- The initial pairing of the phone with the device is where the issues lie, according to the researchers. Furthermore, after the diagnosis, they feel that the flaw could be addressed if the initial authentication was made to be more secure.
More than 18K apps were found to be vulnerable due to this flaw.
To read more, please check eScan Blog
