Since the announcement of this paper, we are humbled by the interest, advice and support from industry friends and colleagues. Their information has helped us revise and clarify some of the technical points in our paper and presentation. In particular, We’d like to make the following correction statement:
First, we were recently advised by Google that the fix to an earlier CVE (2019-2225) will mitigate BLESA. Due to time constraint, we have not independently verified its effectiveness against BLESA; but we will do so in the near future. We’d like to thank colleagues from Google for sharing this information.
Second, we were recently advised by Intel that, while access to BlueZ via gatttool is vulnerable to BLESA, gatttool has been marked as deprecated in the repo and will soon be completely removed from BlueZ. On the other hand, bluetoothctl built on bluetoothd D-Bus APIs, which is used by typical applications, making BlueZ not vulnerable to BLESA. We’d like to thank colleagues from Intel for sharing this information with us.
Our revised paper can be found here (BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy).
This is a joint work with Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, Antonio Bianchi, Mathias Payer, and Dongyan Xu.