An engineering and computer science professor and his team from The Ohio State University discovered a design flaw in low-powered Bluetooth devices that leaves them susceptible to hacking.
Zhiqiang Lin, associate professor of computer science and engineering at the university, found the commonly used Bluetooth Low Energy devices, such as fitness trackers and smart speakers, are vulnerable when they communicate with their associated apps on the owner’s mobile phone.
“There is a fundamental flaw that leaves these devices vulnerable – first when they are initially paired to a mobile app, and then again when they are operating,” Lin said. “And while the magnitude of that vulnerability varies, we found it to be a consistent problem among Bluetooth low energy devices when communicating with mobile apps,” Lin said.
The information was disclosed at the Association for Computing Machinery’s Conference on Computer and Communications Security.
The vulnerability centers on the universally unique identifier (UUID), which tells the smartphone which device it is connected to, that is associated with every Bluetooth device. The UUID is often broadcast in the clear which, Lin said, leaves the device open to a fingerprinting attack. At the very least this would allow an attacker to determine what type of Bluetooth devices are present by the UUID’s being broadcast.
“But in some cases in which no encryption is involved or encryption is used improperly between mobile apps and devices, the attacker would be able to ‘listen in’ on your conversation and collect that data,” Lin explained.
Luckily the issue is easily fixed, the researcher believes, and the team developed a set of recommendations and turned over its findings to the Bluetooth Special Interest Group and created an automated tool to evaluate all of the Bluetooth Low Energy apps in the Google Play Store – 18,166 at the time of their research, they said.
That the problem likely is solvable is a good thing. Lin and his team took a Bluetooth “sniffer” on a tour of the university’s 1.28 square-mile campus and found 5,800 Bluetooth devices operating, 94 percent of which they were able to fingerprint and 7.4 percent – were vulnerable to unauthorized access or eavesdropping attacks. Additionally, it was revealed that the Bluetooth signals emitted by these devices extended much farther than originally thought.
“The typical understanding is that Bluetooth Low Energy devices have signals that can only travel up to 100 meters,” he said. “But we found that with a simple receiver adapter and amplifier, the signal can be ‘sniffed’ (or electronically found) much farther – up to 1,000 meters away.”
An added finding took place while the Ohio State team examined the apps in the Google Play Store. It found 1,434 vulnerable apps that allow unauthorized access, although details on how this access was allowed was not included in the report.
Lin did express his surprise as the number found and said it did not bode well for people maintaining their privacy.