The Btlejacking Attack allows taking control over any Bluetooth Low Energy device, the attack abuses supervision timeout between two connected devices. The supervision timeout defines the time after which the connection is if no valid packets have been received.
Security researcher Damien Cauquil reveal the attack on Aug. 11 Defcon hacker conference and also he published as open-source tool BtleJack that enables you to sniff, jam and hijack Bluetooth Low Energy devices.
The Bluetooth jamming vulnerability can be tracked as CVE-2018-7252 and it affects the Bluetooth Low Energy(BLE) versions 4.0, 4.1, 4.2 and 5. In order to exploit the vulnerability, the attacker should be struck within 5 meters.
BtleJack not only provides an affordable and reliable way to sniff and analyze Bluetooth Low Energy devices and their protocol stacks but also implements a brand new attack dubbed “BtleJacking” Damien said.
The BtleJack Tool is capable of sniffing, jamming and hijacking Bluetooth Low Energy devices. All you need is to have a Micro: BIT embedded device worth $15 that created by BBC.
Btlejacking attack poses a serious risk such as Unauthorized access to the device, Bypass authentication and Keep the device internal state intact which may lead to the data leak.
Starting from Bluetooth v4.2 BLE connections are secure it uses Elliptic Curve Diffie Hellman (ECDH) for key generation. “BLE hijacking is real and should be considered in your threat model,” Damien said.
“To avoid Btlejacking attacks BLE Secure Connections can include code injection protection with authentication code added to all packets that avoid Btlejacking attacks,” Damien said.
Critical BlueBorne Vulnerability Puts More Than 5 Billion Bluetooth Enabled Devices Under Attack
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…
A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…
The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…
NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…