A new exploit has been discovered that affects devices that use Bluetooth Low Energy (BLE). The exploit allows an attacker to take control of a device without requiring user interaction. A malicious actor could potentially gain access to sensitive data or even take over the device entirely. The good news is that the exploit can be mitigated by disabling Bluetooth on affected devices. The bad news is that many devices do not have this option, and even those that do may not have it enabled by default. For now, the best defense against this type of attack is to be aware of it and to exercise caution when using Bluetooth-enabled devices.
BLE-based proximity authentication was not originally designed for use in critical systems such as locking mechanisms, and there is no simple patch or update that can be deployed to make this go away. There are, however, steps that can and should be taken to guard against these attacks:
- Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or the key fob has been stationary for a while (based on the accelerometer)
- System makers should give customers the option of providing a second factor for authentication or user presence attestation (e.g., tap an unlock button in an app on the phone)
- Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed