Bluetooth SIG Statement Regarding the ‘InjectaBLE’ Vulnerability Report
Researchers at the LAAS-CNRS lab have identified a packet-injection scenario related to unencrypted Bluetooth® LE baseband links that affects Bluetooth Core Specifications versions 4.0 through 5.2. The researchers identified that it is possible for an attacker following communications between Central and Peripheral role devices to successfully inject a crafted packet into the link by spoofing the Central’s address during the time between the start of the Peripheral receiving a packet from the Central and the time at which the Central actually transmits during each connection interval. As greater window widening values are applied, for example as the connection interval increases, the chances of a successful packet injection increase.
A successful packet injection in a device not establishing or using encryption may permit the attacker to spoof the Central or Peripheral device to the device in the opposing role. It is also possible for crafted packets to be used to transparently place the attacker in a full man-in-the-middle (MITM) position by establishing the attacker as the Central role to the Peripheral with new connection parameters, with the attacker taking over the Peripheral role. This will permit the attacker to modify, suppress or inject any traffic it wishes while the link remains established.
The Bluetooth SIG strongly recommends that implementations verify that they are using encryption in any profile that requires it under specification, and that vendor-specific profile implementations with custom attributes require encryption for both read and write operations on those characteristics by default.
The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.